fix: use timing-safe comparison for OPER credentials

Replace plain != string comparison with crypto/subtle.ConstantTimeCompare
for both operator name and password checks in handleOper to prevent
timing-based side-channel attacks.

Closes review feedback on PR #82.

.gitignore

@@ -21,6 +21,7 @@ node_modules/
 *.key
 
 # Build artifacts
+web/dist/
 /neoircd
 /bin/
 *.exe

Dockerfile

@@ -1,3 +1,13 @@
+# Web build stage — compile SPA from source
+# node:22-alpine, 2026-03-09
+FROM node@sha256:8094c002d08262dba12645a3b4a15cd6cd627d30bc782f53229a2ec13ee22a00 AS web-builder
+WORKDIR /web
+COPY web/package.json web/package-lock.json ./
+RUN npm ci
+COPY web/src/ src/
+COPY web/build.sh build.sh
+RUN sh build.sh
+
 # Lint stage — fast feedback on formatting and lint issues
 # golangci/golangci-lint:v2.1.6, 2026-03-02
 FROM golangci/golangci-lint@sha256:568ee1c1c53493575fa9494e280e579ac9ca865787bafe4df3023ae59ecf299b AS lint
@@ -5,6 +15,9 @@ WORKDIR /src
 COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
+# Create placeholder files so //go:embed dist/* in web/embed.go resolves
+# without depending on the web-builder stage (lint should fail fast)
+RUN mkdir -p web/dist && touch web/dist/index.html web/dist/style.css web/dist/app.js
 RUN make fmt-check
 RUN make lint
 
@@ -21,6 +34,7 @@ COPY go.mod go.sum ./
 RUN go mod download
 
 COPY . .
+COPY --from=web-builder /web/dist/ web/dist/
 
 RUN make test
 

REPO_POLICIES.md

@@ -1,6 +1,6 @@
 ---
 title: Repository Policies
-last_modified: 2026-02-22
+last_modified: 2026-03-09
 ---
 
 This document covers repository structure, tooling, and workflow standards. Code
@@ -98,6 +98,13 @@ style conventions are in separate documents:
   `https://git.eeqj.de/sneak/prompts/raw/branch/main/.gitignore` when setting up
   a new repo.
 
+- **No build artifacts in version control.** Code-derived data (compiled
+  bundles, minified output, generated assets) must never be committed to the
+  repository if it can be avoided. The build process (e.g. Dockerfile, Makefile)
+  should generate these at build time. Notable exception: Go protobuf generated
+  files (`.pb.go`) ARE committed because repos need to work with `go get`, which
+  downloads code but does not execute code generation.
+
 - Never use `git add -A` or `git add .`. Always stage files explicitly by name.
 
 - Never force-push to `main`.
@@ -144,8 +151,14 @@ style conventions are in separate documents:
 - Use SemVer.
 
 - Database migrations live in `internal/db/migrations/` and must be embedded in
-  the binary. Pre-1.0.0: modify existing migrations (no installed base assumed).
+  the binary.
-  Post-1.0.0: add new migration files.
+    - `000_migration.sql` — contains ONLY the creation of the migrations
+      tracking table itself. Nothing else.
+    - `001_schema.sql` — the full application schema.
+    - **Pre-1.0.0:** never add additional migration files (002, 003, etc.).
+      There is no installed base to migrate. Edit `001_schema.sql` directly.
+    - **Post-1.0.0:** add new numbered migration files for each schema change.
+      Never edit existing migrations after release.
 
 - All repos should have an `.editorconfig` enforcing the project's indentation
   settings.

cmd/neoirc-cli/main.go

@@ -1,804 +1,8 @@
 // Package main is the entry point for the neoirc-cli client.
 package main
 
-import (
+import "git.eeqj.de/sneak/neoirc/internal/cli"
-	"fmt"
-	"os"
-	"strings"
-	"sync"
-	"time"
-
-	api "git.eeqj.de/sneak/neoirc/cmd/neoirc-cli/api"
-)
-
-const (
-	splitParts  = 2
-	pollTimeout = 15
-	pollRetry   = 2 * time.Second
-	timeFormat  = "15:04"
-)
-
-// App holds the application state.
-type App struct {
-	ui     *UI
-	client *api.Client
-
-	mu        sync.Mutex
-	nick      string
-	target    string
-	connected bool
-	lastQID   int64
-	stopPoll  chan struct{}
-}
 
 func main() {
-	app := &App{ //nolint:exhaustruct
+	cli.Run()
-		ui:   NewUI(),
-		nick: "guest",
-	}
-
-	app.ui.OnInput(app.handleInput)
-	app.ui.SetStatus(app.nick, "", "disconnected")
-
-	app.ui.AddStatus(
-		"Welcome to neoirc-cli — an IRC-style client",
-	)
-	app.ui.AddStatus(
-		"Type [yellow]/connect <server-url>" +
-			"[white] to begin, " +
-			"or [yellow]/help[white] for commands",
-	)
-
-	err := app.ui.Run()
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
-		os.Exit(1)
-	}
-}
-
-func (a *App) handleInput(text string) {
-	if strings.HasPrefix(text, "/") {
-		a.handleCommand(text)
-
-		return
-	}
-
-	a.mu.Lock()
-	target := a.target
-	connected := a.connected
-	a.mu.Unlock()
-
-	if !connected {
-		a.ui.AddStatus(
-			"[red]Not connected. Use /connect <url>",
-		)
-
-		return
-	}
-
-	if target == "" {
-		a.ui.AddStatus(
-			"[red]No target. " +
-				"Use /join #channel or /query nick",
-		)
-
-		return
-	}
-
-	err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
-		Command: "PRIVMSG",
-		To:      target,
-		Body:    []string{text},
-	})
-	if err != nil {
-		a.ui.AddStatus(
-			"[red]Send error: " + err.Error(),
-		)
-
-		return
-	}
-
-	timestamp := time.Now().Format(timeFormat)
-
-	a.mu.Lock()
-	nick := a.nick
-	a.mu.Unlock()
-
-	a.ui.AddLine(target, fmt.Sprintf(
-		"[gray]%s [green]<%s>[white] %s",
-		timestamp, nick, text,
-	))
-}
-
-func (a *App) handleCommand(text string) {
-	parts := strings.SplitN(text, " ", splitParts)
-	cmd := strings.ToLower(parts[0])
-
-	args := ""
-	if len(parts) > 1 {
-		args = parts[1]
-	}
-
-	a.dispatchCommand(cmd, args)
-}
-
-func (a *App) dispatchCommand(cmd, args string) {
-	switch cmd {
-	case "/connect":
-		a.cmdConnect(args)
-	case "/nick":
-		a.cmdNick(args)
-	case "/join":
-		a.cmdJoin(args)
-	case "/part":
-		a.cmdPart(args)
-	case "/msg":
-		a.cmdMsg(args)
-	case "/query":
-		a.cmdQuery(args)
-	case "/topic":
-		a.cmdTopic(args)
-	case "/names":
-		a.cmdNames()
-	case "/list":
-		a.cmdList()
-	case "/window", "/w":
-		a.cmdWindow(args)
-	case "/quit":
-		a.cmdQuit()
-	case "/help":
-		a.cmdHelp()
-	default:
-		a.ui.AddStatus(
-			"[red]Unknown command: " + cmd,
-		)
-	}
-}
-
-func (a *App) cmdConnect(serverURL string) {
-	if serverURL == "" {
-		a.ui.AddStatus(
-			"[red]Usage: /connect <server-url>",
-		)
-
-		return
-	}
-
-	serverURL = strings.TrimRight(serverURL, "/")
-
-	a.ui.AddStatus("Connecting to " + serverURL + "...")
-
-	a.mu.Lock()
-	nick := a.nick
-	a.mu.Unlock()
-
-	client := api.NewClient(serverURL)
-
-	resp, err := client.CreateSession(nick)
-	if err != nil {
-		a.ui.AddStatus(fmt.Sprintf(
-			"[red]Connection failed: %v", err,
-		))
-
-		return
-	}
-
-	a.mu.Lock()
-	a.client = client
-	a.nick = resp.Nick
-	a.connected = true
-	a.lastQID = 0
-	a.mu.Unlock()
-
-	a.ui.AddStatus(fmt.Sprintf(
-		"[green]Connected! Nick: %s, Session: %d",
-		resp.Nick, resp.ID,
-	))
-	a.ui.SetStatus(resp.Nick, "", "connected")
-
-	a.stopPoll = make(chan struct{})
-
-	go a.pollLoop()
-}
-
-func (a *App) cmdNick(nick string) {
-	if nick == "" {
-		a.ui.AddStatus(
-			"[red]Usage: /nick <name>",
-		)
-
-		return
-	}
-
-	a.mu.Lock()
-	connected := a.connected
-	a.mu.Unlock()
-
-	if !connected {
-		a.mu.Lock()
-		a.nick = nick
-		a.mu.Unlock()
-
-		a.ui.AddStatus(
-			"Nick set to " + nick +
-				" (will be used on connect)",
-		)
-
-		return
-	}
-
-	err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
-		Command: "NICK",
-		Body:    []string{nick},
-	})
-	if err != nil {
-		a.ui.AddStatus(fmt.Sprintf(
-			"[red]Nick change failed: %v", err,
-		))
-
-		return
-	}
-
-	a.mu.Lock()
-	a.nick = nick
-	target := a.target
-	a.mu.Unlock()
-
-	a.ui.SetStatus(nick, target, "connected")
-	a.ui.AddStatus("Nick changed to " + nick)
-}
-
-func (a *App) cmdJoin(channel string) {
-	if channel == "" {
-		a.ui.AddStatus(
-			"[red]Usage: /join #channel",
-		)
-
-		return
-	}
-
-	if !strings.HasPrefix(channel, "#") {
-		channel = "#" + channel
-	}
-
-	a.mu.Lock()
-	connected := a.connected
-	a.mu.Unlock()
-
-	if !connected {
-		a.ui.AddStatus("[red]Not connected")
-
-		return
-	}
-
-	err := a.client.JoinChannel(channel)
-	if err != nil {
-		a.ui.AddStatus(fmt.Sprintf(
-			"[red]Join failed: %v", err,
-		))
-
-		return
-	}
-
-	a.mu.Lock()
-	a.target = channel
-	nick := a.nick
-	a.mu.Unlock()
-
-	a.ui.SwitchToBuffer(channel)
-	a.ui.AddLine(channel,
-		"[yellow]*** Joined "+channel,
-	)
-	a.ui.SetStatus(nick, channel, "connected")
-}
-
-func (a *App) cmdPart(channel string) {
-	a.mu.Lock()
-	if channel == "" {
-		channel = a.target
-	}
-
-	connected := a.connected
-	a.mu.Unlock()
-
-	if channel == "" ||
-		!strings.HasPrefix(channel, "#") {
-		a.ui.AddStatus("[red]No channel to part")
-
-		return
-	}
-
-	if !connected {
-		a.ui.AddStatus("[red]Not connected")
-
-		return
-	}
-
-	err := a.client.PartChannel(channel)
-	if err != nil {
-		a.ui.AddStatus(fmt.Sprintf(
-			"[red]Part failed: %v", err,
-		))
-
-		return
-	}
-
-	a.ui.AddLine(channel,
-		"[yellow]*** Left "+channel,
-	)
-
-	a.mu.Lock()
-	if a.target == channel {
-		a.target = ""
-	}
-
-	nick := a.nick
-	a.mu.Unlock()
-
-	a.ui.SwitchBuffer(0)
-	a.ui.SetStatus(nick, "", "connected")
-}
-
-func (a *App) cmdMsg(args string) {
-	parts := strings.SplitN(args, " ", splitParts)
-	if len(parts) < splitParts {
-		a.ui.AddStatus(
-			"[red]Usage: /msg <nick> <text>",
-		)
-
-		return
-	}
-
-	target, text := parts[0], parts[1]
-
-	a.mu.Lock()
-	connected := a.connected
-	nick := a.nick
-	a.mu.Unlock()
-
-	if !connected {
-		a.ui.AddStatus("[red]Not connected")
-
-		return
-	}
-
-	err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
-		Command: "PRIVMSG",
-		To:      target,
-		Body:    []string{text},
-	})
-	if err != nil {
-		a.ui.AddStatus(fmt.Sprintf(
-			"[red]Send failed: %v", err,
-		))
-
-		return
-	}
-
-	timestamp := time.Now().Format(timeFormat)
-
-	a.ui.AddLine(target, fmt.Sprintf(
-		"[gray]%s [green]<%s>[white] %s",
-		timestamp, nick, text,
-	))
-}
-
-func (a *App) cmdQuery(nick string) {
-	if nick == "" {
-		a.ui.AddStatus(
-			"[red]Usage: /query <nick>",
-		)
-
-		return
-	}
-
-	a.mu.Lock()
-	a.target = nick
-	myNick := a.nick
-	a.mu.Unlock()
-
-	a.ui.SwitchToBuffer(nick)
-	a.ui.SetStatus(myNick, nick, "connected")
-}
-
-func (a *App) cmdTopic(args string) {
-	a.mu.Lock()
-	target := a.target
-	connected := a.connected
-	a.mu.Unlock()
-
-	if !connected {
-		a.ui.AddStatus("[red]Not connected")
-
-		return
-	}
-
-	if !strings.HasPrefix(target, "#") {
-		a.ui.AddStatus("[red]Not in a channel")
-
-		return
-	}
-
-	if args == "" {
-		err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
-			Command: "TOPIC",
-			To:      target,
-		})
-		if err != nil {
-			a.ui.AddStatus(fmt.Sprintf(
-				"[red]Topic query failed: %v", err,
-			))
-		}
-
-		return
-	}
-
-	err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
-		Command: "TOPIC",
-		To:      target,
-		Body:    []string{args},
-	})
-	if err != nil {
-		a.ui.AddStatus(fmt.Sprintf(
-			"[red]Topic set failed: %v", err,
-		))
-	}
-}
-
-func (a *App) cmdNames() {
-	a.mu.Lock()
-	target := a.target
-	connected := a.connected
-	a.mu.Unlock()
-
-	if !connected {
-		a.ui.AddStatus("[red]Not connected")
-
-		return
-	}
-
-	if !strings.HasPrefix(target, "#") {
-		a.ui.AddStatus("[red]Not in a channel")
-
-		return
-	}
-
-	members, err := a.client.GetMembers(target)
-	if err != nil {
-		a.ui.AddStatus(fmt.Sprintf(
-			"[red]Names failed: %v", err,
-		))
-
-		return
-	}
-
-	a.ui.AddLine(target, fmt.Sprintf(
-		"[cyan]*** Members of %s: %s",
-		target, strings.Join(members, " "),
-	))
-}
-
-func (a *App) cmdList() {
-	a.mu.Lock()
-	connected := a.connected
-	a.mu.Unlock()
-
-	if !connected {
-		a.ui.AddStatus("[red]Not connected")
-
-		return
-	}
-
-	channels, err := a.client.ListChannels()
-	if err != nil {
-		a.ui.AddStatus(fmt.Sprintf(
-			"[red]List failed: %v", err,
-		))
-
-		return
-	}
-
-	a.ui.AddStatus("[cyan]*** Channel list:")
-
-	for _, ch := range channels {
-		a.ui.AddStatus(fmt.Sprintf(
-			"  %s (%d members) %s",
-			ch.Name, ch.Members, ch.Topic,
-		))
-	}
-
-	a.ui.AddStatus("[cyan]*** End of channel list")
-}
-
-func (a *App) cmdWindow(args string) {
-	if args == "" {
-		a.ui.AddStatus(
-			"[red]Usage: /window <number>",
-		)
-
-		return
-	}
-
-	var bufIndex int
-
-	_, _ = fmt.Sscanf(args, "%d", &bufIndex)
-
-	a.ui.SwitchBuffer(bufIndex)
-
-	a.mu.Lock()
-	nick := a.nick
-	a.mu.Unlock()
-
-	if bufIndex >= 0 && bufIndex < a.ui.BufferCount() {
-		buf := a.ui.buffers[bufIndex]
-		if buf.Name != "(status)" {
-			a.mu.Lock()
-			a.target = buf.Name
-			a.mu.Unlock()
-
-			a.ui.SetStatus(
-				nick, buf.Name, "connected",
-			)
-		} else {
-			a.ui.SetStatus(nick, "", "connected")
-		}
-	}
-}
-
-func (a *App) cmdQuit() {
-	a.mu.Lock()
-
-	if a.connected && a.client != nil {
-		_ = a.client.SendMessage(
-			&api.Message{Command: "QUIT"}, //nolint:exhaustruct
-		)
-	}
-
-	if a.stopPoll != nil {
-		close(a.stopPoll)
-	}
-
-	a.mu.Unlock()
-	a.ui.Stop()
-}
-
-func (a *App) cmdHelp() {
-	help := []string{
-		"[cyan]*** neoirc-cli commands:",
-		"  /connect <url>  — Connect to server",
-		"  /nick <name>    — Change nickname",
-		"  /join #channel  — Join channel",
-		"  /part [#chan]    — Leave channel",
-		"  /msg <nick> <text> — Send DM",
-		"  /query <nick>   — Open DM window",
-		"  /topic [text]   — View/set topic",
-		"  /names          — List channel members",
-		"  /list           — List channels",
-		"  /window <n>     — Switch buffer",
-		"  /quit           — Disconnect and exit",
-		"  /help           — This help",
-		"  Plain text sends to current target.",
-	}
-
-	for _, line := range help {
-		a.ui.AddStatus(line)
-	}
-}
-
-// pollLoop long-polls for messages in the background.
-func (a *App) pollLoop() {
-	for {
-		select {
-		case <-a.stopPoll:
-			return
-		default:
-		}
-
-		a.mu.Lock()
-		client := a.client
-		lastQID := a.lastQID
-		a.mu.Unlock()
-
-		if client == nil {
-			return
-		}
-
-		result, err := client.PollMessages(
-			lastQID, pollTimeout,
-		)
-		if err != nil {
-			time.Sleep(pollRetry)
-
-			continue
-		}
-
-		if result.LastID > 0 {
-			a.mu.Lock()
-			a.lastQID = result.LastID
-			a.mu.Unlock()
-		}
-
-		for i := range result.Messages {
-			a.handleServerMessage(&result.Messages[i])
-		}
-	}
-}
-
-func (a *App) handleServerMessage(msg *api.Message) {
-	timestamp := a.formatTS(msg)
-
-	a.mu.Lock()
-	myNick := a.nick
-	a.mu.Unlock()
-
-	switch msg.Command {
-	case "PRIVMSG":
-		a.handlePrivmsgEvent(msg, timestamp, myNick)
-	case "JOIN":
-		a.handleJoinEvent(msg, timestamp)
-	case "PART":
-		a.handlePartEvent(msg, timestamp)
-	case "QUIT":
-		a.handleQuitEvent(msg, timestamp)
-	case "NICK":
-		a.handleNickEvent(msg, timestamp, myNick)
-	case "NOTICE":
-		a.handleNoticeEvent(msg, timestamp)
-	case "TOPIC":
-		a.handleTopicEvent(msg, timestamp)
-	default:
-		a.handleDefaultEvent(msg, timestamp)
-	}
-}
-
-func (a *App) formatTS(msg *api.Message) string {
-	if msg.TS != "" {
-		return msg.ParseTS().UTC().Format(timeFormat)
-	}
-
-	return time.Now().Format(timeFormat)
-}
-
-func (a *App) handlePrivmsgEvent(
-	msg *api.Message, timestamp, myNick string,
-) {
-	lines := msg.BodyLines()
-	text := strings.Join(lines, " ")
-
-	if msg.From == myNick {
-		return
-	}
-
-	target := msg.To
-	if !strings.HasPrefix(target, "#") {
-		target = msg.From
-	}
-
-	a.ui.AddLine(target, fmt.Sprintf(
-		"[gray]%s [green]<%s>[white] %s",
-		timestamp, msg.From, text,
-	))
-}
-
-func (a *App) handleJoinEvent(
-	msg *api.Message, timestamp string,
-) {
-	if msg.To == "" {
-		return
-	}
-
-	a.ui.AddLine(msg.To, fmt.Sprintf(
-		"[gray]%s [yellow]*** %s has joined %s",
-		timestamp, msg.From, msg.To,
-	))
-}
-
-func (a *App) handlePartEvent(
-	msg *api.Message, timestamp string,
-) {
-	if msg.To == "" {
-		return
-	}
-
-	lines := msg.BodyLines()
-	reason := strings.Join(lines, " ")
-
-	if reason != "" {
-		a.ui.AddLine(msg.To, fmt.Sprintf(
-			"[gray]%s [yellow]*** %s has left %s (%s)",
-			timestamp, msg.From, msg.To, reason,
-		))
-	} else {
-		a.ui.AddLine(msg.To, fmt.Sprintf(
-			"[gray]%s [yellow]*** %s has left %s",
-			timestamp, msg.From, msg.To,
-		))
-	}
-}
-
-func (a *App) handleQuitEvent(
-	msg *api.Message, timestamp string,
-) {
-	lines := msg.BodyLines()
-	reason := strings.Join(lines, " ")
-
-	if reason != "" {
-		a.ui.AddStatus(fmt.Sprintf(
-			"[gray]%s [yellow]*** %s has quit (%s)",
-			timestamp, msg.From, reason,
-		))
-	} else {
-		a.ui.AddStatus(fmt.Sprintf(
-			"[gray]%s [yellow]*** %s has quit",
-			timestamp, msg.From,
-		))
-	}
-}
-
-func (a *App) handleNickEvent(
-	msg *api.Message, timestamp, myNick string,
-) {
-	lines := msg.BodyLines()
-
-	newNick := ""
-	if len(lines) > 0 {
-		newNick = lines[0]
-	}
-
-	if msg.From == myNick && newNick != "" {
-		a.mu.Lock()
-		a.nick = newNick
-
-		target := a.target
-		a.mu.Unlock()
-
-		a.ui.SetStatus(newNick, target, "connected")
-	}
-
-	a.ui.AddStatus(fmt.Sprintf(
-		"[gray]%s [yellow]*** %s is now known as %s",
-		timestamp, msg.From, newNick,
-	))
-}
-
-func (a *App) handleNoticeEvent(
-	msg *api.Message, timestamp string,
-) {
-	lines := msg.BodyLines()
-	text := strings.Join(lines, " ")
-
-	a.ui.AddStatus(fmt.Sprintf(
-		"[gray]%s [magenta]--%s-- %s",
-		timestamp, msg.From, text,
-	))
-}
-
-func (a *App) handleTopicEvent(
-	msg *api.Message, timestamp string,
-) {
-	if msg.To == "" {
-		return
-	}
-
-	lines := msg.BodyLines()
-	text := strings.Join(lines, " ")
-
-	a.ui.AddLine(msg.To, fmt.Sprintf(
-		"[gray]%s [cyan]*** %s set topic: %s",
-		timestamp, msg.From, text,
-	))
-}
-
-func (a *App) handleDefaultEvent(
-	msg *api.Message, timestamp string,
-) {
-	lines := msg.BodyLines()
-	text := strings.Join(lines, " ")
-
-	if text != "" {
-		a.ui.AddStatus(fmt.Sprintf(
-			"[gray]%s [white][%s] %s",
-			timestamp, msg.Command, text,
-		))
-	}
 }

cmd/neoircd/main.go

@@ -10,6 +10,7 @@ import (
 	"git.eeqj.de/sneak/neoirc/internal/logger"
 	"git.eeqj.de/sneak/neoirc/internal/middleware"
 	"git.eeqj.de/sneak/neoirc/internal/server"
+	"git.eeqj.de/sneak/neoirc/internal/stats"
 	"go.uber.org/fx"
 )
 
@@ -35,6 +36,7 @@ func main() {
 			server.New,
 			middleware.New,
 			healthcheck.New,
+			stats.New,
 		),
 		fx.Invoke(func(*server.Server) {}),
 	).Run()

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/99designs/basicauth-go v0.0.0-20230316000542-bf6f9cbbf0f8
 	github.com/gdamore/tcell/v2 v2.13.8
 	github.com/getsentry/sentry-go v0.42.0
-	github.com/go-chi/chi v1.5.5
+	github.com/go-chi/chi/v5 v5.2.1
 	github.com/go-chi/cors v1.2.2
 	github.com/google/uuid v1.6.0
 	github.com/joho/godotenv v1.5.1

go.sum

@@ -18,8 +18,8 @@ github.com/gdamore/tcell/v2 v2.13.8 h1:Mys/Kl5wfC/GcC5Cx4C2BIQH9dbnhnkPgS9/wF3Rl
 github.com/gdamore/tcell/v2 v2.13.8/go.mod h1:+Wfe208WDdB7INEtCsNrAN6O2m+wsTPk1RAovjaILlo=
 github.com/getsentry/sentry-go v0.42.0 h1:eeFMACuZTbUQf90RE8dE4tXeSe4CZyfvR1MBL7RLEt8=
 github.com/getsentry/sentry-go v0.42.0/go.mod h1:eRXCoh3uvmjQLY6qu63BjUZnaBu5L5WhMV1RwYO8W5s=
-github.com/go-chi/chi v1.5.5 h1:vOB/HbEMt9QqBqErz07QehcOKHaWFtuj87tTDVz2qXE=
+github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=
-github.com/go-chi/chi v1.5.5/go.mod h1:C9JqLr3tIYjDOZpzn+BCuxY8z8vmca43EeMgyZt7irw=
+github.com/go-chi/chi/v5 v5.2.1/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/go-chi/cors v1.2.2 h1:Jmey33TE+b+rB7fT8MUy1u0I4L+NARQlK6LhzKPSyQE=
 github.com/go-chi/cors v1.2.2/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=

internal/cli/api/client.go

@@ -13,6 +13,8 @@ import (
 	"strconv"
 	"strings"
 	"time"
+
+	"git.eeqj.de/sneak/neoirc/pkg/irc"
 )
 
 const (
@@ -41,13 +43,30 @@ func NewClient(baseURL string) *Client {
 }
 
 // CreateSession creates a new session on the server.
+// If the server requires hashcash proof-of-work, it
+// automatically fetches the difficulty and computes a
+// valid stamp.
 func (client *Client) CreateSession(
 	nick string,
 ) (*SessionResponse, error) {
+	// Fetch server info to check for hashcash requirement.
+	info, err := client.GetServerInfo()
+
+	var hashcashStamp string
+
+	if err == nil && info.HashcashBits > 0 {
+		resource := info.Name
+		if resource == "" {
+			resource = "neoirc"
+		}
+
+		hashcashStamp = MintHashcash(info.HashcashBits, resource)
+	}
+
 	data, err := client.do(
 		http.MethodPost,
 		"/api/v1/session",
-		&SessionRequest{Nick: nick},
+		&SessionRequest{Nick: nick, Hashcash: hashcashStamp},
 	)
 	if err != nil {
 		return nil, err
@@ -168,7 +187,7 @@ func (client *Client) PollMessages(
 func (client *Client) JoinChannel(channel string) error {
 	return client.SendMessage(
 		&Message{ //nolint:exhaustruct // only command+to needed
-			Command: "JOIN", To: channel,
+			Command: irc.CmdJoin, To: channel,
 		},
 	)
 }
@@ -177,7 +196,7 @@ func (client *Client) JoinChannel(channel string) error {
 func (client *Client) PartChannel(channel string) error {
 	return client.SendMessage(
 		&Message{ //nolint:exhaustruct // only command+to needed
-			Command: "PART", To: channel,
+			Command: irc.CmdPart, To: channel,
 		},
 	)
 }

internal/cli/api/hashcash.go

@@ -0,0 +1,79 @@
+package neoircapi
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"math/big"
+	"time"
+)
+
+const (
+	// bitsPerByte is the number of bits in a byte.
+	bitsPerByte = 8
+	// fullByteMask is 0xFF, a mask for all bits in a byte.
+	fullByteMask = 0xFF
+	// counterSpace is the range for random counter seeds.
+	counterSpace = 1 << 48
+)
+
+// MintHashcash computes a hashcash stamp with the given
+// difficulty (leading zero bits) and resource string.
+func MintHashcash(bits int, resource string) string {
+	date := time.Now().UTC().Format("060102")
+	prefix := fmt.Sprintf(
+		"1:%d:%s:%s::", bits, date, resource,
+	)
+
+	for {
+		counter := randomCounter()
+		stamp := prefix + counter
+		hash := sha256.Sum256([]byte(stamp))
+
+		if hasLeadingZeroBits(hash[:], bits) {
+			return stamp
+		}
+	}
+}
+
+// hasLeadingZeroBits checks if hash has at least numBits
+// leading zero bits.
+func hasLeadingZeroBits(
+	hash []byte,
+	numBits int,
+) bool {
+	fullBytes := numBits / bitsPerByte
+	remainBits := numBits % bitsPerByte
+
+	for idx := range fullBytes {
+		if hash[idx] != 0 {
+			return false
+		}
+	}
+
+	if remainBits > 0 && fullBytes < len(hash) {
+		mask := byte(
+			fullByteMask << (bitsPerByte - remainBits),
+		)
+
+		if hash[fullBytes]&mask != 0 {
+			return false
+		}
+	}
+
+	return true
+}
+
+// randomCounter generates a random hex counter string.
+func randomCounter() string {
+	counterVal, err := rand.Int(
+		rand.Reader, big.NewInt(counterSpace),
+	)
+	if err != nil {
+		// Fallback to timestamp-based counter on error.
+		return fmt.Sprintf("%x", time.Now().UnixNano())
+	}
+
+	return hex.EncodeToString(counterVal.Bytes())
+}

internal/cli/api/types.go

@@ -5,6 +5,7 @@ import "time"
 // SessionRequest is the body for POST /api/v1/session.
 type SessionRequest struct {
 	Nick     string `json:"nick"`
+	Hashcash string `json:"pow_token,omitempty"` //nolint:tagliatelle
 }
 
 // SessionResponse is the response from session creation.
@@ -66,6 +67,7 @@ type ServerInfo struct {
 	Name         string `json:"name"`
 	MOTD         string `json:"motd"`
 	Version      string `json:"version"`
+	HashcashBits int    `json:"hashcash_bits"` //nolint:tagliatelle
 }
 
 // MessagesResponse wraps polling results.

internal/cli/app.go

@@ -0,0 +1,912 @@
+// Package cli implements the neoirc-cli terminal client.
+package cli
+
+import (
+	"fmt"
+	"os"
+	"strings"
+	"sync"
+	"time"
+
+	api "git.eeqj.de/sneak/neoirc/internal/cli/api"
+	"git.eeqj.de/sneak/neoirc/pkg/irc"
+)
+
+const (
+	splitParts  = 2
+	pollTimeout = 15
+	pollRetry   = 2 * time.Second
+	timeFormat  = "15:04"
+)
+
+// App holds the application state.
+type App struct {
+	ui     *UI
+	client *api.Client
+
+	mu        sync.Mutex
+	nick      string
+	target    string
+	connected bool
+	lastQID   int64
+	stopPoll  chan struct{}
+}
+
+// Run creates and runs the CLI application.
+func Run() {
+	app := &App{ //nolint:exhaustruct
+		ui:   NewUI(),
+		nick: "guest",
+	}
+
+	app.ui.OnInput(app.handleInput)
+	app.ui.SetStatus(app.nick, "", "disconnected")
+
+	app.ui.AddStatus(
+		"Welcome to neoirc-cli — an IRC-style client",
+	)
+	app.ui.AddStatus(
+		"Type [yellow]/connect <server-url>" +
+			"[white] to begin, " +
+			"or [yellow]/help[white] for commands",
+	)
+
+	err := app.ui.Run()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
+}
+
+func (a *App) handleInput(text string) {
+	if strings.HasPrefix(text, "/") {
+		a.handleCommand(text)
+
+		return
+	}
+
+	a.mu.Lock()
+	target := a.target
+	connected := a.connected
+	a.mu.Unlock()
+
+	if !connected {
+		a.ui.AddStatus(
+			"[red]Not connected. Use /connect <url>",
+		)
+
+		return
+	}
+
+	if target == "" {
+		a.ui.AddStatus(
+			"[red]No target. " +
+				"Use /join #channel or /query nick",
+		)
+
+		return
+	}
+
+	err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
+		Command: irc.CmdPrivmsg,
+		To:      target,
+		Body:    []string{text},
+	})
+	if err != nil {
+		a.ui.AddStatus(
+			"[red]Send error: " + err.Error(),
+		)
+
+		return
+	}
+
+	timestamp := time.Now().Format(timeFormat)
+
+	a.mu.Lock()
+	nick := a.nick
+	a.mu.Unlock()
+
+	a.ui.AddLine(target, fmt.Sprintf(
+		"[gray]%s [green]<%s>[white] %s",
+		timestamp, nick, text,
+	))
+}
+
+func (a *App) handleCommand(text string) {
+	parts := strings.SplitN(text, " ", splitParts)
+	cmd := strings.ToLower(parts[0])
+
+	args := ""
+	if len(parts) > 1 {
+		args = parts[1]
+	}
+
+	a.dispatchCommand(cmd, args)
+}
+
+func (a *App) dispatchCommand(cmd, args string) {
+	switch cmd {
+	case "/connect":
+		a.cmdConnect(args)
+	case "/nick":
+		a.cmdNick(args)
+	case "/join":
+		a.cmdJoin(args)
+	case "/part":
+		a.cmdPart(args)
+	case "/msg":
+		a.cmdMsg(args)
+	case "/query":
+		a.cmdQuery(args)
+	case "/topic":
+		a.cmdTopic(args)
+	case "/window", "/w":
+		a.cmdWindow(args)
+	case "/quit":
+		a.cmdQuit()
+	case "/help":
+		a.cmdHelp()
+	default:
+		a.dispatchInfoCommand(cmd, args)
+	}
+}
+
+func (a *App) dispatchInfoCommand(cmd, args string) {
+	switch cmd {
+	case "/names":
+		a.cmdNames()
+	case "/list":
+		a.cmdList()
+	case "/motd":
+		a.cmdMotd()
+	case "/who":
+		a.cmdWho(args)
+	case "/whois":
+		a.cmdWhois(args)
+	default:
+		a.ui.AddStatus(
+			"[red]Unknown command: " + cmd,
+		)
+	}
+}
+
+func (a *App) cmdConnect(serverURL string) {
+	if serverURL == "" {
+		a.ui.AddStatus(
+			"[red]Usage: /connect <server-url>",
+		)
+
+		return
+	}
+
+	serverURL = strings.TrimRight(serverURL, "/")
+
+	a.ui.AddStatus("Connecting to " + serverURL + "...")
+
+	a.mu.Lock()
+	nick := a.nick
+	a.mu.Unlock()
+
+	client := api.NewClient(serverURL)
+
+	resp, err := client.CreateSession(nick)
+	if err != nil {
+		a.ui.AddStatus(fmt.Sprintf(
+			"[red]Connection failed: %v", err,
+		))
+
+		return
+	}
+
+	a.mu.Lock()
+	a.client = client
+	a.nick = resp.Nick
+	a.connected = true
+	a.lastQID = 0
+	a.mu.Unlock()
+
+	a.ui.AddStatus(fmt.Sprintf(
+		"[green]Connected! Nick: %s, Session: %d",
+		resp.Nick, resp.ID,
+	))
+	a.ui.SetStatus(resp.Nick, "", "connected")
+
+	a.stopPoll = make(chan struct{})
+
+	go a.pollLoop()
+}
+
+func (a *App) cmdNick(nick string) {
+	if nick == "" {
+		a.ui.AddStatus(
+			"[red]Usage: /nick <name>",
+		)
+
+		return
+	}
+
+	a.mu.Lock()
+	connected := a.connected
+	a.mu.Unlock()
+
+	if !connected {
+		a.mu.Lock()
+		a.nick = nick
+		a.mu.Unlock()
+
+		a.ui.AddStatus(
+			"Nick set to " + nick +
+				" (will be used on connect)",
+		)
+
+		return
+	}
+
+	err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
+		Command: irc.CmdNick,
+		Body:    []string{nick},
+	})
+	if err != nil {
+		a.ui.AddStatus(fmt.Sprintf(
+			"[red]Nick change failed: %v", err,
+		))
+
+		return
+	}
+
+	a.mu.Lock()
+	a.nick = nick
+	target := a.target
+	a.mu.Unlock()
+
+	a.ui.SetStatus(nick, target, "connected")
+	a.ui.AddStatus("Nick changed to " + nick)
+}
+
+func (a *App) cmdJoin(channel string) {
+	if channel == "" {
+		a.ui.AddStatus(
+			"[red]Usage: /join #channel",
+		)
+
+		return
+	}
+
+	if !strings.HasPrefix(channel, "#") {
+		channel = "#" + channel
+	}
+
+	a.mu.Lock()
+	connected := a.connected
+	a.mu.Unlock()
+
+	if !connected {
+		a.ui.AddStatus("[red]Not connected")
+
+		return
+	}
+
+	err := a.client.JoinChannel(channel)
+	if err != nil {
+		a.ui.AddStatus(fmt.Sprintf(
+			"[red]Join failed: %v", err,
+		))
+
+		return
+	}
+
+	a.mu.Lock()
+	a.target = channel
+	nick := a.nick
+	a.mu.Unlock()
+
+	a.ui.SwitchToBuffer(channel)
+	a.ui.AddLine(channel,
+		"[yellow]*** Joined "+channel,
+	)
+	a.ui.SetStatus(nick, channel, "connected")
+}
+
+func (a *App) cmdPart(channel string) {
+	a.mu.Lock()
+	if channel == "" {
+		channel = a.target
+	}
+
+	connected := a.connected
+	a.mu.Unlock()
+
+	if channel == "" ||
+		!strings.HasPrefix(channel, "#") {
+		a.ui.AddStatus("[red]No channel to part")
+
+		return
+	}
+
+	if !connected {
+		a.ui.AddStatus("[red]Not connected")
+
+		return
+	}
+
+	err := a.client.PartChannel(channel)
+	if err != nil {
+		a.ui.AddStatus(fmt.Sprintf(
+			"[red]Part failed: %v", err,
+		))
+
+		return
+	}
+
+	a.ui.AddLine(channel,
+		"[yellow]*** Left "+channel,
+	)
+
+	a.mu.Lock()
+	if a.target == channel {
+		a.target = ""
+	}
+
+	nick := a.nick
+	a.mu.Unlock()
+
+	a.ui.SwitchBuffer(0)
+	a.ui.SetStatus(nick, "", "connected")
+}
+
+func (a *App) cmdMsg(args string) {
+	parts := strings.SplitN(args, " ", splitParts)
+	if len(parts) < splitParts {
+		a.ui.AddStatus(
+			"[red]Usage: /msg <nick> <text>",
+		)
+
+		return
+	}
+
+	target, text := parts[0], parts[1]
+
+	a.mu.Lock()
+	connected := a.connected
+	nick := a.nick
+	a.mu.Unlock()
+
+	if !connected {
+		a.ui.AddStatus("[red]Not connected")
+
+		return
+	}
+
+	err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
+		Command: irc.CmdPrivmsg,
+		To:      target,
+		Body:    []string{text},
+	})
+	if err != nil {
+		a.ui.AddStatus(fmt.Sprintf(
+			"[red]Send failed: %v", err,
+		))
+
+		return
+	}
+
+	timestamp := time.Now().Format(timeFormat)
+
+	a.ui.AddLine(target, fmt.Sprintf(
+		"[gray]%s [green]<%s>[white] %s",
+		timestamp, nick, text,
+	))
+}
+
+func (a *App) cmdQuery(nick string) {
+	if nick == "" {
+		a.ui.AddStatus(
+			"[red]Usage: /query <nick>",
+		)
+
+		return
+	}
+
+	a.mu.Lock()
+	a.target = nick
+	myNick := a.nick
+	a.mu.Unlock()
+
+	a.ui.SwitchToBuffer(nick)
+	a.ui.SetStatus(myNick, nick, "connected")
+}
+
+func (a *App) cmdTopic(args string) {
+	a.mu.Lock()
+	target := a.target
+	connected := a.connected
+	a.mu.Unlock()
+
+	if !connected {
+		a.ui.AddStatus("[red]Not connected")
+
+		return
+	}
+
+	if !strings.HasPrefix(target, "#") {
+		a.ui.AddStatus("[red]Not in a channel")
+
+		return
+	}
+
+	if args == "" {
+		err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
+			Command: irc.CmdTopic,
+			To:      target,
+		})
+		if err != nil {
+			a.ui.AddStatus(fmt.Sprintf(
+				"[red]Topic query failed: %v", err,
+			))
+		}
+
+		return
+	}
+
+	err := a.client.SendMessage(&api.Message{ //nolint:exhaustruct
+		Command: irc.CmdTopic,
+		To:      target,
+		Body:    []string{args},
+	})
+	if err != nil {
+		a.ui.AddStatus(fmt.Sprintf(
+			"[red]Topic set failed: %v", err,
+		))
+	}
+}
+
+func (a *App) cmdNames() {
+	a.mu.Lock()
+	target := a.target
+	connected := a.connected
+	a.mu.Unlock()
+
+	if !connected {
+		a.ui.AddStatus("[red]Not connected")
+
+		return
+	}
+
+	if !strings.HasPrefix(target, "#") {
+		a.ui.AddStatus("[red]Not in a channel")
+
+		return
+	}
+
+	members, err := a.client.GetMembers(target)
+	if err != nil {
+		a.ui.AddStatus(fmt.Sprintf(
+			"[red]Names failed: %v", err,
+		))
+
+		return
+	}
+
+	a.ui.AddLine(target, fmt.Sprintf(
+		"[cyan]*** Members of %s: %s",
+		target, strings.Join(members, " "),
+	))
+}
+
+func (a *App) cmdList() {
+	a.mu.Lock()
+	connected := a.connected
+	a.mu.Unlock()
+
+	if !connected {
+		a.ui.AddStatus("[red]Not connected")
+
+		return
+	}
+
+	channels, err := a.client.ListChannels()
+	if err != nil {
+		a.ui.AddStatus(fmt.Sprintf(
+			"[red]List failed: %v", err,
+		))
+
+		return
+	}
+
+	a.ui.AddStatus("[cyan]*** Channel list:")
+
+	for _, ch := range channels {
+		a.ui.AddStatus(fmt.Sprintf(
+			"  %s (%d members) %s",
+			ch.Name, ch.Members, ch.Topic,
+		))
+	}
+
+	a.ui.AddStatus("[cyan]*** End of channel list")
+}
+
+func (a *App) cmdMotd() {
+	a.mu.Lock()
+	connected := a.connected
+	a.mu.Unlock()
+
+	if !connected {
+		a.ui.AddStatus("[red]Not connected")
+
+		return
+	}
+
+	err := a.client.SendMessage(
+		&api.Message{Command: irc.CmdMotd}, //nolint:exhaustruct
+	)
+	if err != nil {
+		a.ui.AddStatus(fmt.Sprintf(
+			"[red]MOTD failed: %v", err,
+		))
+	}
+}
+
+func (a *App) cmdWho(args string) {
+	a.mu.Lock()
+	connected := a.connected
+	target := a.target
+	a.mu.Unlock()
+
+	if !connected {
+		a.ui.AddStatus("[red]Not connected")
+
+		return
+	}
+
+	channel := args
+	if channel == "" {
+		channel = target
+	}
+
+	if channel == "" ||
+		!strings.HasPrefix(channel, "#") {
+		a.ui.AddStatus(
+			"[red]Usage: /who #channel",
+		)
+
+		return
+	}
+
+	err := a.client.SendMessage(
+		&api.Message{ //nolint:exhaustruct
+			Command: irc.CmdWho, To: channel,
+		},
+	)
+	if err != nil {
+		a.ui.AddStatus(fmt.Sprintf(
+			"[red]WHO failed: %v", err,
+		))
+	}
+}
+
+func (a *App) cmdWhois(args string) {
+	a.mu.Lock()
+	connected := a.connected
+	a.mu.Unlock()
+
+	if !connected {
+		a.ui.AddStatus("[red]Not connected")
+
+		return
+	}
+
+	if args == "" {
+		a.ui.AddStatus(
+			"[red]Usage: /whois <nick>",
+		)
+
+		return
+	}
+
+	err := a.client.SendMessage(
+		&api.Message{ //nolint:exhaustruct
+			Command: irc.CmdWhois, To: args,
+		},
+	)
+	if err != nil {
+		a.ui.AddStatus(fmt.Sprintf(
+			"[red]WHOIS failed: %v", err,
+		))
+	}
+}
+
+func (a *App) cmdWindow(args string) {
+	if args == "" {
+		a.ui.AddStatus(
+			"[red]Usage: /window <number>",
+		)
+
+		return
+	}
+
+	var bufIndex int
+
+	_, _ = fmt.Sscanf(args, "%d", &bufIndex)
+
+	a.ui.SwitchBuffer(bufIndex)
+
+	a.mu.Lock()
+	nick := a.nick
+	a.mu.Unlock()
+
+	if bufIndex >= 0 && bufIndex < a.ui.BufferCount() {
+		buf := a.ui.buffers[bufIndex]
+		if buf.Name != "(status)" {
+			a.mu.Lock()
+			a.target = buf.Name
+			a.mu.Unlock()
+
+			a.ui.SetStatus(
+				nick, buf.Name, "connected",
+			)
+		} else {
+			a.ui.SetStatus(nick, "", "connected")
+		}
+	}
+}
+
+func (a *App) cmdQuit() {
+	a.mu.Lock()
+
+	if a.connected && a.client != nil {
+		_ = a.client.SendMessage(
+			&api.Message{Command: irc.CmdQuit}, //nolint:exhaustruct
+		)
+	}
+
+	if a.stopPoll != nil {
+		close(a.stopPoll)
+	}
+
+	a.mu.Unlock()
+	a.ui.Stop()
+}
+
+func (a *App) cmdHelp() {
+	help := []string{
+		"[cyan]*** neoirc-cli commands:",
+		"  /connect <url>  — Connect to server",
+		"  /nick <name>    — Change nickname",
+		"  /join #channel  — Join channel",
+		"  /part [#chan]    — Leave channel",
+		"  /msg <nick> <text> — Send DM",
+		"  /query <nick>   — Open DM window",
+		"  /topic [text]   — View/set topic",
+		"  /names          — List channel members",
+		"  /list           — List channels",
+		"  /who [#channel] — List users in channel",
+		"  /whois <nick>   — Show user info",
+		"  /motd           — Show message of the day",
+		"  /window <n>     — Switch buffer",
+		"  /quit           — Disconnect and exit",
+		"  /help           — This help",
+		"  Plain text sends to current target.",
+	}
+
+	for _, line := range help {
+		a.ui.AddStatus(line)
+	}
+}
+
+// pollLoop long-polls for messages in the background.
+func (a *App) pollLoop() {
+	for {
+		select {
+		case <-a.stopPoll:
+			return
+		default:
+		}
+
+		a.mu.Lock()
+		client := a.client
+		lastQID := a.lastQID
+		a.mu.Unlock()
+
+		if client == nil {
+			return
+		}
+
+		result, err := client.PollMessages(
+			lastQID, pollTimeout,
+		)
+		if err != nil {
+			time.Sleep(pollRetry)
+
+			continue
+		}
+
+		if result.LastID > 0 {
+			a.mu.Lock()
+			a.lastQID = result.LastID
+			a.mu.Unlock()
+		}
+
+		for i := range result.Messages {
+			a.handleServerMessage(&result.Messages[i])
+		}
+	}
+}
+
+func (a *App) handleServerMessage(msg *api.Message) {
+	timestamp := a.formatTS(msg)
+
+	a.mu.Lock()
+	myNick := a.nick
+	a.mu.Unlock()
+
+	switch msg.Command {
+	case irc.CmdPrivmsg:
+		a.handlePrivmsgEvent(msg, timestamp, myNick)
+	case irc.CmdJoin:
+		a.handleJoinEvent(msg, timestamp)
+	case irc.CmdPart:
+		a.handlePartEvent(msg, timestamp)
+	case irc.CmdQuit:
+		a.handleQuitEvent(msg, timestamp)
+	case irc.CmdNick:
+		a.handleNickEvent(msg, timestamp, myNick)
+	case irc.CmdNotice:
+		a.handleNoticeEvent(msg, timestamp)
+	case irc.CmdTopic:
+		a.handleTopicEvent(msg, timestamp)
+	default:
+		a.handleDefaultEvent(msg, timestamp)
+	}
+}
+
+func (a *App) formatTS(msg *api.Message) string {
+	if msg.TS != "" {
+		return msg.ParseTS().UTC().Format(timeFormat)
+	}
+
+	return time.Now().Format(timeFormat)
+}
+
+func (a *App) handlePrivmsgEvent(
+	msg *api.Message, timestamp, myNick string,
+) {
+	lines := msg.BodyLines()
+	text := strings.Join(lines, " ")
+
+	if msg.From == myNick {
+		return
+	}
+
+	target := msg.To
+	if !strings.HasPrefix(target, "#") {
+		target = msg.From
+	}
+
+	a.ui.AddLine(target, fmt.Sprintf(
+		"[gray]%s [green]<%s>[white] %s",
+		timestamp, msg.From, text,
+	))
+}
+
+func (a *App) handleJoinEvent(
+	msg *api.Message, timestamp string,
+) {
+	if msg.To == "" {
+		return
+	}
+
+	a.ui.AddLine(msg.To, fmt.Sprintf(
+		"[gray]%s [yellow]*** %s has joined %s",
+		timestamp, msg.From, msg.To,
+	))
+}
+
+func (a *App) handlePartEvent(
+	msg *api.Message, timestamp string,
+) {
+	if msg.To == "" {
+		return
+	}
+
+	lines := msg.BodyLines()
+	reason := strings.Join(lines, " ")
+
+	if reason != "" {
+		a.ui.AddLine(msg.To, fmt.Sprintf(
+			"[gray]%s [yellow]*** %s has left %s (%s)",
+			timestamp, msg.From, msg.To, reason,
+		))
+	} else {
+		a.ui.AddLine(msg.To, fmt.Sprintf(
+			"[gray]%s [yellow]*** %s has left %s",
+			timestamp, msg.From, msg.To,
+		))
+	}
+}
+
+func (a *App) handleQuitEvent(
+	msg *api.Message, timestamp string,
+) {
+	lines := msg.BodyLines()
+	reason := strings.Join(lines, " ")
+
+	if reason != "" {
+		a.ui.AddStatus(fmt.Sprintf(
+			"[gray]%s [yellow]*** %s has quit (%s)",
+			timestamp, msg.From, reason,
+		))
+	} else {
+		a.ui.AddStatus(fmt.Sprintf(
+			"[gray]%s [yellow]*** %s has quit",
+			timestamp, msg.From,
+		))
+	}
+}
+
+func (a *App) handleNickEvent(
+	msg *api.Message, timestamp, myNick string,
+) {
+	lines := msg.BodyLines()
+
+	newNick := ""
+	if len(lines) > 0 {
+		newNick = lines[0]
+	}
+
+	if msg.From == myNick && newNick != "" {
+		a.mu.Lock()
+		a.nick = newNick
+
+		target := a.target
+		a.mu.Unlock()
+
+		a.ui.SetStatus(newNick, target, "connected")
+	}
+
+	a.ui.AddStatus(fmt.Sprintf(
+		"[gray]%s [yellow]*** %s is now known as %s",
+		timestamp, msg.From, newNick,
+	))
+}
+
+func (a *App) handleNoticeEvent(
+	msg *api.Message, timestamp string,
+) {
+	lines := msg.BodyLines()
+	text := strings.Join(lines, " ")
+
+	a.ui.AddStatus(fmt.Sprintf(
+		"[gray]%s [magenta]--%s-- %s",
+		timestamp, msg.From, text,
+	))
+}
+
+func (a *App) handleTopicEvent(
+	msg *api.Message, timestamp string,
+) {
+	if msg.To == "" {
+		return
+	}
+
+	lines := msg.BodyLines()
+	text := strings.Join(lines, " ")
+
+	a.ui.AddLine(msg.To, fmt.Sprintf(
+		"[gray]%s [cyan]*** %s set topic: %s",
+		timestamp, msg.From, text,
+	))
+}
+
+func (a *App) handleDefaultEvent(
+	msg *api.Message, timestamp string,
+) {
+	lines := msg.BodyLines()
+	text := strings.Join(lines, " ")
+
+	if text != "" {
+		a.ui.AddStatus(fmt.Sprintf(
+			"[gray]%s [white][%s] %s",
+			timestamp, msg.Command, text,
+		))
+	}
+}

internal/cli/ui.go

@@ -1,4 +1,4 @@
-package main
+package cli
 
 import (
 	"fmt"

internal/config/config.go

@@ -13,6 +13,14 @@ import (
 	_ "github.com/joho/godotenv/autoload" // loads .env file
 )
 
+const defaultMOTD = ` _ __   ___  ___  (_)_ __ ___
+| '_ \ / _ \/ _ \ | | '__/ __|
+| | | |  __/ (_) || | | | (__
+|_| |_|\___|\___/ |_|_|  \___|
+
+Welcome to NeoIRC — IRC semantics over HTTP.
+Type /help for available commands.`
+
 // Params defines the dependencies for creating a Config.
 type Params struct {
 	fx.In
@@ -30,12 +38,16 @@ type Config struct {
 	MetricsUsername    string
 	Port               int
 	SentryDSN          string
-	MaxHistory         int
+	MessageMaxAge      string
 	MaxMessageSize     int
+	QueueMaxAge        string
 	MOTD               string
 	ServerName         string
 	FederationKey      string
 	SessionIdleTimeout string
+	HashcashBits       int
+	OperName           string
+	OperPassword       string
 	params             *Params
 	log                *slog.Logger
 }
@@ -60,12 +72,16 @@ func New(
 	viper.SetDefault("SENTRY_DSN", "")
 	viper.SetDefault("METRICS_USERNAME", "")
 	viper.SetDefault("METRICS_PASSWORD", "")
-	viper.SetDefault("MAX_HISTORY", "10000")
+	viper.SetDefault("MESSAGE_MAX_AGE", "720h")
 	viper.SetDefault("MAX_MESSAGE_SIZE", "4096")
-	viper.SetDefault("MOTD", "")
+	viper.SetDefault("QUEUE_MAX_AGE", "720h")
+	viper.SetDefault("MOTD", defaultMOTD)
 	viper.SetDefault("SERVER_NAME", "")
 	viper.SetDefault("FEDERATION_KEY", "")
-	viper.SetDefault("SESSION_IDLE_TIMEOUT", "24h")
+	viper.SetDefault("SESSION_IDLE_TIMEOUT", "720h")
+	viper.SetDefault("NEOIRC_HASHCASH_BITS", "20")
+	viper.SetDefault("NEOIRC_OPER_NAME", "")
+	viper.SetDefault("NEOIRC_OPER_PASSWORD", "")
 
 	err := viper.ReadInConfig()
 	if err != nil {
@@ -84,12 +100,16 @@ func New(
 		MaintenanceMode:    viper.GetBool("MAINTENANCE_MODE"),
 		MetricsUsername:    viper.GetString("METRICS_USERNAME"),
 		MetricsPassword:    viper.GetString("METRICS_PASSWORD"),
-		MaxHistory:         viper.GetInt("MAX_HISTORY"),
+		MessageMaxAge:      viper.GetString("MESSAGE_MAX_AGE"),
 		MaxMessageSize:     viper.GetInt("MAX_MESSAGE_SIZE"),
+		QueueMaxAge:        viper.GetString("QUEUE_MAX_AGE"),
 		MOTD:               viper.GetString("MOTD"),
 		ServerName:         viper.GetString("SERVER_NAME"),
 		FederationKey:      viper.GetString("FEDERATION_KEY"),
 		SessionIdleTimeout: viper.GetString("SESSION_IDLE_TIMEOUT"),
+		HashcashBits:       viper.GetInt("NEOIRC_HASHCASH_BITS"),
+		OperName:           viper.GetString("NEOIRC_OPER_NAME"),
+		OperPassword:       viper.GetString("NEOIRC_OPER_PASSWORD"),
 		log:                log,
 		params:             &params,
 	}

internal/db/auth.go

@@ -20,8 +20,12 @@ var errNoPassword = errors.New(
 // and returns session ID, client ID, and token.
 func (database *Database) RegisterUser(
 	ctx context.Context,
-	nick, password string,
+	nick, password, username, hostname, remoteIP string,
 ) (int64, int64, string, error) {
+	if username == "" {
+		username = nick
+	}
+
 	hash, err := bcrypt.GenerateFromPassword(
 		[]byte(password), bcryptCost,
 	)
@@ -50,10 +54,11 @@ func (database *Database) RegisterUser(
 
 	res, err := transaction.ExecContext(ctx,
 		`INSERT INTO sessions
-		 (uuid, nick, password_hash,
+		 (uuid, nick, username, hostname, ip,
-		  created_at, last_seen)
+		  password_hash, created_at, last_seen)
-		 VALUES (?, ?, ?, ?, ?)`,
+		 VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
-		sessionUUID, nick, string(hash), now, now)
+		sessionUUID, nick, username, hostname,
+		remoteIP, string(hash), now, now)
 	if err != nil {
 		_ = transaction.Rollback()
 
@@ -64,12 +69,15 @@ func (database *Database) RegisterUser(
 
 	sessionID, _ := res.LastInsertId()
 
+	tokenHash := hashToken(token)
+
 	clientRes, err := transaction.ExecContext(ctx,
 		`INSERT INTO clients
-		 (uuid, session_id, token,
+		 (uuid, session_id, token, ip, hostname,
 		  created_at, last_seen)
-		 VALUES (?, ?, ?, ?, ?)`,
+		 VALUES (?, ?, ?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, token, now, now)
+		clientUUID, sessionID, tokenHash,
+		remoteIP, hostname, now, now)
 	if err != nil {
 		_ = transaction.Rollback()
 
@@ -94,7 +102,7 @@ func (database *Database) RegisterUser(
 // client token.
 func (database *Database) LoginUser(
 	ctx context.Context,
-	nick, password string,
+	nick, password, remoteIP, hostname string,
 ) (int64, int64, string, error) {
 	var (
 		sessionID    int64
@@ -137,12 +145,15 @@ func (database *Database) LoginUser(
 
 	now := time.Now()
 
+	tokenHash := hashToken(token)
+
 	res, err := database.conn.ExecContext(ctx,
 		`INSERT INTO clients
-		 (uuid, session_id, token,
+		 (uuid, session_id, token, ip, hostname,
 		  created_at, last_seen)
-		 VALUES (?, ?, ?, ?, ?)`,
+		 VALUES (?, ?, ?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, token, now, now)
+		clientUUID, sessionID, tokenHash,
+		remoteIP, hostname, now, now)
 	if err != nil {
 		return 0, 0, "", fmt.Errorf(
 			"create login client: %w", err,

internal/db/auth_test.go

@@ -13,7 +13,7 @@ func TestRegisterUser(t *testing.T) {
 	ctx := t.Context()
 
 	sessionID, clientID, token, err :=
-		database.RegisterUser(ctx, "reguser", "password123")
+		database.RegisterUser(ctx, "reguser", "password123", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -38,6 +38,69 @@ func TestRegisterUser(t *testing.T) {
 	}
 }
 
+func TestRegisterUserWithUserHost(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sessionID, _, _, err := database.RegisterUser(
+		ctx, "reguhost", "password123",
+		"myident", "example.org", "",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	info, err := database.GetSessionHostInfo(
+		ctx, sessionID,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if info.Username != "myident" {
+		t.Fatalf(
+			"expected myident, got %s", info.Username,
+		)
+	}
+
+	if info.Hostname != "example.org" {
+		t.Fatalf(
+			"expected example.org, got %s",
+			info.Hostname,
+		)
+	}
+}
+
+func TestRegisterUserDefaultUsername(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sessionID, _, _, err := database.RegisterUser(
+		ctx, "regdefault", "password123", "", "", "",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	info, err := database.GetSessionHostInfo(
+		ctx, sessionID,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if info.Username != "regdefault" {
+		t.Fatalf(
+			"expected regdefault, got %s",
+			info.Username,
+		)
+	}
+}
+
 func TestRegisterUserDuplicateNick(t *testing.T) {
 	t.Parallel()
 
@@ -45,7 +108,7 @@ func TestRegisterUserDuplicateNick(t *testing.T) {
 	ctx := t.Context()
 
 	regSID, regCID, regToken, err :=
-		database.RegisterUser(ctx, "dupnick", "password123")
+		database.RegisterUser(ctx, "dupnick", "password123", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -55,7 +118,7 @@ func TestRegisterUserDuplicateNick(t *testing.T) {
 	_ = regToken
 
 	dupSID, dupCID, dupToken, dupErr :=
-		database.RegisterUser(ctx, "dupnick", "other12345")
+		database.RegisterUser(ctx, "dupnick", "other12345", "", "", "")
 	if dupErr == nil {
 		t.Fatal("expected error for duplicate nick")
 	}
@@ -72,7 +135,7 @@ func TestLoginUser(t *testing.T) {
 	ctx := t.Context()
 
 	regSID, regCID, regToken, err :=
-		database.RegisterUser(ctx, "loginuser", "mypassword")
+		database.RegisterUser(ctx, "loginuser", "mypassword", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -82,7 +145,7 @@ func TestLoginUser(t *testing.T) {
 	_ = regToken
 
 	sessionID, clientID, token, err :=
-		database.LoginUser(ctx, "loginuser", "mypassword")
+		database.LoginUser(ctx, "loginuser", "mypassword", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -103,6 +166,83 @@ func TestLoginUser(t *testing.T) {
 	}
 }
 
+func TestLoginUserStoresClientIPHostname(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	regSID, regCID, regToken, err := database.RegisterUser(
+		ctx, "loginipuser", "password123",
+		"", "", "10.0.0.1",
+	)
+
+	_ = regSID
+	_ = regCID
+	_ = regToken
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, clientID, _, err := database.LoginUser(
+		ctx, "loginipuser", "password123",
+		"10.0.0.99", "newhost.example.com",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	clientInfo, err := database.GetClientHostInfo(
+		ctx, clientID,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if clientInfo.IP != "10.0.0.99" {
+		t.Fatalf(
+			"expected client IP 10.0.0.99, got %s",
+			clientInfo.IP,
+		)
+	}
+
+	if clientInfo.Hostname != "newhost.example.com" {
+		t.Fatalf(
+			"expected hostname newhost.example.com, got %s",
+			clientInfo.Hostname,
+		)
+	}
+}
+
+func TestRegisterUserStoresSessionIP(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sessionID, _, _, err := database.RegisterUser(
+		ctx, "regipuser", "password123",
+		"ident", "host.local", "172.16.0.5",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	info, err := database.GetSessionHostInfo(
+		ctx, sessionID,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if info.IP != "172.16.0.5" {
+		t.Fatalf(
+			"expected session IP 172.16.0.5, got %s",
+			info.IP,
+		)
+	}
+}
+
 func TestLoginUserWrongPassword(t *testing.T) {
 	t.Parallel()
 
@@ -110,7 +250,7 @@ func TestLoginUserWrongPassword(t *testing.T) {
 	ctx := t.Context()
 
 	regSID, regCID, regToken, err :=
-		database.RegisterUser(ctx, "wrongpw", "correctpass")
+		database.RegisterUser(ctx, "wrongpw", "correctpass", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -120,7 +260,7 @@ func TestLoginUserWrongPassword(t *testing.T) {
 	_ = regToken
 
 	loginSID, loginCID, loginToken, loginErr :=
-		database.LoginUser(ctx, "wrongpw", "wrongpass12")
+		database.LoginUser(ctx, "wrongpw", "wrongpass12", "", "")
 	if loginErr == nil {
 		t.Fatal("expected error for wrong password")
 	}
@@ -138,7 +278,7 @@ func TestLoginUserNoPassword(t *testing.T) {
 
 	// Create anonymous session (no password).
 	anonSID, anonCID, anonToken, err :=
-		database.CreateSession(ctx, "anon")
+		database.CreateSession(ctx, "anon", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -148,7 +288,7 @@ func TestLoginUserNoPassword(t *testing.T) {
 	_ = anonToken
 
 	loginSID, loginCID, loginToken, loginErr :=
-		database.LoginUser(ctx, "anon", "anything1")
+		database.LoginUser(ctx, "anon", "anything1", "", "")
 	if loginErr == nil {
 		t.Fatal(
 			"expected error for login on passwordless account",
@@ -167,7 +307,7 @@ func TestLoginUserNonexistent(t *testing.T) {
 	ctx := t.Context()
 
 	loginSID, loginCID, loginToken, err :=
-		database.LoginUser(ctx, "ghost", "password123")
+		database.LoginUser(ctx, "ghost", "password123", "", "")
 	if err == nil {
 		t.Fatal("expected error for nonexistent user")
 	}

internal/db/errors.go

@@ -0,0 +1,20 @@
+// Package db provides database access and migration management.
+package db
+
+import (
+	"errors"
+
+	"modernc.org/sqlite"
+	sqlite3 "modernc.org/sqlite/lib"
+)
+
+// IsUniqueConstraintError reports whether err is a SQLite
+// unique-constraint violation.
+func IsUniqueConstraintError(err error) bool {
+	var sqliteErr *sqlite.Error
+	if !errors.As(err, &sqliteErr) {
+		return false
+	}
+
+	return sqliteErr.Code() == sqlite3.SQLITE_CONSTRAINT_UNIQUE
+}

internal/db/queries.go

@@ -3,12 +3,15 @@ package db
 import (
 	"context"
 	"crypto/rand"
+	"crypto/sha256"
 	"database/sql"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"strconv"
 	"time"
 
+	"git.eeqj.de/sneak/neoirc/pkg/irc"
 	"github.com/google/uuid"
 )
 
@@ -29,18 +32,37 @@ func generateToken() (string, error) {
 	return hex.EncodeToString(buf), nil
 }
 
+// hashToken returns the lowercase hex-encoded SHA-256
+// digest of a plaintext token string.
+func hashToken(token string) string {
+	sum := sha256.Sum256([]byte(token))
+
+	return hex.EncodeToString(sum[:])
+}
+
 // IRCMessage is the IRC envelope for all messages.
 type IRCMessage struct {
 	ID      string          `json:"id"`
 	Command string          `json:"command"`
+	Code    int             `json:"code,omitempty"`
 	From    string          `json:"from,omitempty"`
 	To      string          `json:"to,omitempty"`
+	Params  json.RawMessage `json:"params,omitempty"`
 	Body    json.RawMessage `json:"body,omitempty"`
 	TS      string          `json:"ts"`
 	Meta    json.RawMessage `json:"meta,omitempty"`
 	DBID    int64           `json:"-"`
 }
 
+// isNumericCode returns true if s is exactly a 3-digit
+// IRC numeric reply code.
+func isNumericCode(s string) bool {
+	return len(s) == 3 &&
+		s[0] >= '0' && s[0] <= '9' &&
+		s[1] >= '0' && s[1] <= '9' &&
+		s[2] >= '0' && s[2] <= '9'
+}
+
 // ChannelInfo is a lightweight channel representation.
 type ChannelInfo struct {
 	ID    int64  `json:"id"`
@@ -52,14 +74,40 @@ type ChannelInfo struct {
 type MemberInfo struct {
 	ID       int64     `json:"id"`
 	Nick     string    `json:"nick"`
+	Username string    `json:"username"`
+	Hostname string    `json:"hostname"`
 	LastSeen time.Time `json:"lastSeen"`
 }
 
+// Hostmask returns the IRC hostmask in
+// nick!user@host format.
+func (m *MemberInfo) Hostmask() string {
+	return FormatHostmask(m.Nick, m.Username, m.Hostname)
+}
+
+// FormatHostmask formats a nick, username, and hostname
+// into a standard IRC hostmask string (nick!user@host).
+func FormatHostmask(nick, username, hostname string) string {
+	if username == "" {
+		username = nick
+	}
+
+	if hostname == "" {
+		hostname = "*"
+	}
+
+	return nick + "!" + username + "@" + hostname
+}
+
 // CreateSession registers a new session and its first client.
 func (database *Database) CreateSession(
 	ctx context.Context,
-	nick string,
+	nick, username, hostname, remoteIP string,
 ) (int64, int64, string, error) {
+	if username == "" {
+		username = nick
+	}
+
 	sessionUUID := uuid.New().String()
 	clientUUID := uuid.New().String()
 
@@ -79,9 +127,11 @@ func (database *Database) CreateSession(
 
 	res, err := transaction.ExecContext(ctx,
 		`INSERT INTO sessions
-		 (uuid, nick, created_at, last_seen)
+		 (uuid, nick, username, hostname, ip,
-		 VALUES (?, ?, ?, ?)`,
+		  created_at, last_seen)
-		sessionUUID, nick, now, now)
+		 VALUES (?, ?, ?, ?, ?, ?, ?)`,
+		sessionUUID, nick, username, hostname,
+		remoteIP, now, now)
 	if err != nil {
 		_ = transaction.Rollback()
 
@@ -92,12 +142,15 @@ func (database *Database) CreateSession(
 
 	sessionID, _ := res.LastInsertId()
 
+	tokenHash := hashToken(token)
+
 	clientRes, err := transaction.ExecContext(ctx,
 		`INSERT INTO clients
-		 (uuid, session_id, token,
+		 (uuid, session_id, token, ip, hostname,
 		  created_at, last_seen)
-		 VALUES (?, ?, ?, ?, ?)`,
+		 VALUES (?, ?, ?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, token, now, now)
+		clientUUID, sessionID, tokenHash,
+		remoteIP, hostname, now, now)
 	if err != nil {
 		_ = transaction.Rollback()
 
@@ -130,6 +183,8 @@ func (database *Database) GetSessionByToken(
 		nick      string
 	)
 
+	tokenHash := hashToken(token)
+
 	err := database.conn.QueryRowContext(
 		ctx,
 		`SELECT s.id, c.id, s.nick
@@ -137,7 +192,7 @@ func (database *Database) GetSessionByToken(
 		 INNER JOIN sessions s
 		   ON s.id = c.session_id
 		 WHERE c.token = ?`,
-		token,
+		tokenHash,
 	).Scan(&sessionID, &clientID, &nick)
 	if err != nil {
 		return 0, 0, "", fmt.Errorf(
@@ -183,6 +238,135 @@ func (database *Database) GetSessionByNick(
 	return sessionID, nil
 }
 
+// SessionHostInfo holds the username, hostname, and IP
+// for a session.
+type SessionHostInfo struct {
+	Username string
+	Hostname string
+	IP       string
+}
+
+// GetSessionHostInfo returns the username, hostname,
+// and IP for a session.
+func (database *Database) GetSessionHostInfo(
+	ctx context.Context,
+	sessionID int64,
+) (*SessionHostInfo, error) {
+	var info SessionHostInfo
+
+	err := database.conn.QueryRowContext(
+		ctx,
+		`SELECT username, hostname, ip
+		 FROM sessions WHERE id = ?`,
+		sessionID,
+	).Scan(&info.Username, &info.Hostname, &info.IP)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"get session host info: %w", err,
+		)
+	}
+
+	return &info, nil
+}
+
+// ClientHostInfo holds the IP and hostname for a client.
+type ClientHostInfo struct {
+	IP       string
+	Hostname string
+}
+
+// GetClientHostInfo returns the IP and hostname for a
+// client.
+func (database *Database) GetClientHostInfo(
+	ctx context.Context,
+	clientID int64,
+) (*ClientHostInfo, error) {
+	var info ClientHostInfo
+
+	err := database.conn.QueryRowContext(
+		ctx,
+		`SELECT ip, hostname
+		 FROM clients WHERE id = ?`,
+		clientID,
+	).Scan(&info.IP, &info.Hostname)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"get client host info: %w", err,
+		)
+	}
+
+	return &info, nil
+}
+
+// SetSessionOper sets the is_oper flag on a session.
+func (database *Database) SetSessionOper(
+	ctx context.Context,
+	sessionID int64,
+	isOper bool,
+) error {
+	val := 0
+	if isOper {
+		val = 1
+	}
+
+	_, err := database.conn.ExecContext(
+		ctx,
+		`UPDATE sessions SET is_oper = ? WHERE id = ?`,
+		val, sessionID,
+	)
+	if err != nil {
+		return fmt.Errorf("set session oper: %w", err)
+	}
+
+	return nil
+}
+
+// IsSessionOper returns whether the session has oper
+// status.
+func (database *Database) IsSessionOper(
+	ctx context.Context,
+	sessionID int64,
+) (bool, error) {
+	var isOper int
+
+	err := database.conn.QueryRowContext(
+		ctx,
+		`SELECT is_oper FROM sessions WHERE id = ?`,
+		sessionID,
+	).Scan(&isOper)
+	if err != nil {
+		return false, fmt.Errorf(
+			"check session oper: %w", err,
+		)
+	}
+
+	return isOper != 0, nil
+}
+
+// GetLatestClientForSession returns the IP and hostname
+// of the most recently created client for a session.
+func (database *Database) GetLatestClientForSession(
+	ctx context.Context,
+	sessionID int64,
+) (*ClientHostInfo, error) {
+	var info ClientHostInfo
+
+	err := database.conn.QueryRowContext(
+		ctx,
+		`SELECT ip, hostname FROM clients
+		 WHERE session_id = ?
+		 ORDER BY created_at DESC LIMIT 1`,
+		sessionID,
+	).Scan(&info.IP, &info.Hostname)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"get latest client for session: %w", err,
+		)
+	}
+
+	return &info, nil
+}
+
 // GetChannelByName returns the channel ID for a name.
 func (database *Database) GetChannelByName(
 	ctx context.Context,
@@ -362,7 +546,8 @@ func (database *Database) ChannelMembers(
 	channelID int64,
 ) ([]MemberInfo, error) {
 	rows, err := database.conn.QueryContext(ctx,
-		`SELECT s.id, s.nick, s.last_seen
+		`SELECT s.id, s.nick, s.username,
+		   s.hostname, s.last_seen
 		 FROM sessions s
 		 INNER JOIN channel_members cm
 		   ON cm.session_id = s.id
@@ -382,7 +567,9 @@ func (database *Database) ChannelMembers(
 		var member MemberInfo
 
 		err = rows.Scan(
-			&member.ID, &member.Nick, &member.LastSeen,
+			&member.ID, &member.Nick,
+			&member.Username, &member.Hostname,
+			&member.LastSeen,
 		)
 		if err != nil {
 			return nil, fmt.Errorf(
@@ -491,12 +678,17 @@ func (database *Database) GetSessionChannelIDs(
 func (database *Database) InsertMessage(
 	ctx context.Context,
 	command, from, target string,
+	params json.RawMessage,
 	body json.RawMessage,
 	meta json.RawMessage,
 ) (int64, string, error) {
 	msgUUID := uuid.New().String()
 	now := time.Now().UTC()
 
+	if params == nil {
+		params = json.RawMessage("[]")
+	}
+
 	if body == nil {
 		body = json.RawMessage("[]")
 	}
@@ -508,10 +700,10 @@ func (database *Database) InsertMessage(
 	res, err := database.conn.ExecContext(ctx,
 		`INSERT INTO messages
 		 (uuid, command, msg_from, msg_to,
-		  body, meta, created_at)
+		  params, body, meta, created_at)
-		 VALUES (?, ?, ?, ?, ?, ?, ?)`,
+		 VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
 		msgUUID, command, from, target,
-		string(body), string(meta), now)
+		string(params), string(body), string(meta), now)
 	if err != nil {
 		return 0, "", fmt.Errorf(
 			"insert message: %w", err,
@@ -578,7 +770,7 @@ func (database *Database) PollMessages(
 	rows, err := database.conn.QueryContext(ctx,
 		`SELECT cq.id, m.uuid, m.command,
 		   m.msg_from, m.msg_to,
-		   m.body, m.meta, m.created_at
+		   m.params, m.body, m.meta, m.created_at
 		 FROM client_queues cq
 		 INNER JOIN messages m
 		   ON m.id = cq.message_id
@@ -642,7 +834,7 @@ func (database *Database) queryHistory(
 	if beforeID > 0 {
 		rows, err := database.conn.QueryContext(ctx,
 			`SELECT id, uuid, command, msg_from,
-			   msg_to, body, meta, created_at
+			   msg_to, params, body, meta, created_at
 			 FROM messages
 			 WHERE msg_to = ? AND id < ?
 			   AND command = 'PRIVMSG'
@@ -659,7 +851,7 @@ func (database *Database) queryHistory(
 
 	rows, err := database.conn.QueryContext(ctx,
 		`SELECT id, uuid, command, msg_from,
-		   msg_to, body, meta, created_at
+		   msg_to, params, body, meta, created_at
 		 FROM messages
 		 WHERE msg_to = ?
 		   AND command = 'PRIVMSG'
@@ -686,14 +878,14 @@ func scanMessages(
 		var (
 			msg                IRCMessage
 			qID                int64
-			body, meta string
+			params, body, meta string
 			createdAt          time.Time
 		)
 
 		err := rows.Scan(
 			&qID, &msg.ID, &msg.Command,
 			&msg.From, &msg.To,
-			&body, &meta, &createdAt,
+			&params, &body, &meta, &createdAt,
 		)
 		if err != nil {
 			return nil, fallbackQID, fmt.Errorf(
@@ -701,12 +893,25 @@ func scanMessages(
 			)
 		}
 
+		if params != "" && params != "[]" {
+			msg.Params = json.RawMessage(params)
+		}
+
 		msg.Body = json.RawMessage(body)
 		msg.Meta = json.RawMessage(meta)
 		msg.TS = createdAt.Format(time.RFC3339Nano)
 		msg.DBID = qID
 		lastQID = qID
 
+		if isNumericCode(msg.Command) {
+			code, _ := strconv.Atoi(msg.Command)
+			msg.Code = code
+
+			if mt, err := irc.FromInt(code); err == nil {
+				msg.Command = mt.Name()
+			}
+		}
+
 		msgs = append(msgs, msg)
 	}
 
@@ -815,6 +1020,26 @@ func (database *Database) GetUserCount(
 	return count, nil
 }
 
+// GetOperCount returns the number of sessions with oper
+// status.
+func (database *Database) GetOperCount(
+	ctx context.Context,
+) (int64, error) {
+	var count int64
+
+	err := database.conn.QueryRowContext(
+		ctx,
+		"SELECT COUNT(*) FROM sessions WHERE is_oper = 1",
+	).Scan(&count)
+	if err != nil {
+		return 0, fmt.Errorf(
+			"get oper count: %w", err,
+		)
+	}
+
+	return count, nil
+}
+
 // ClientCountForSession returns the number of clients
 // belonging to a session.
 func (database *Database) ClientCountForSession(
@@ -943,3 +1168,321 @@ func (database *Database) GetSessionChannels(
 
 	return scanChannels(rows)
 }
+
+// GetChannelCount returns the total number of channels.
+func (database *Database) GetChannelCount(
+	ctx context.Context,
+) (int64, error) {
+	var count int64
+
+	err := database.conn.QueryRowContext(
+		ctx,
+		"SELECT COUNT(*) FROM channels",
+	).Scan(&count)
+	if err != nil {
+		return 0, fmt.Errorf(
+			"get channel count: %w", err,
+		)
+	}
+
+	return count, nil
+}
+
+// ChannelInfoFull contains extended channel information.
+type ChannelInfoFull struct {
+	ID          int64  `json:"id"`
+	Name        string `json:"name"`
+	Topic       string `json:"topic"`
+	MemberCount int64  `json:"memberCount"`
+}
+
+// ListAllChannelsWithCounts returns every channel
+// with its member count.
+func (database *Database) ListAllChannelsWithCounts(
+	ctx context.Context,
+) ([]ChannelInfoFull, error) {
+	rows, err := database.conn.QueryContext(ctx,
+		`SELECT c.id, c.name, c.topic,
+		   COUNT(cm.session_id) AS member_count
+		 FROM channels c
+		 LEFT JOIN channel_members cm
+		   ON cm.channel_id = c.id
+		 GROUP BY c.id
+		 ORDER BY c.name`)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"list channels with counts: %w", err,
+		)
+	}
+
+	defer func() { _ = rows.Close() }()
+
+	var out []ChannelInfoFull
+
+	for rows.Next() {
+		var chanInfo ChannelInfoFull
+
+		err = rows.Scan(
+			&chanInfo.ID, &chanInfo.Name,
+			&chanInfo.Topic, &chanInfo.MemberCount,
+		)
+		if err != nil {
+			return nil, fmt.Errorf(
+				"scan channel full: %w", err,
+			)
+		}
+
+		out = append(out, chanInfo)
+	}
+
+	err = rows.Err()
+	if err != nil {
+		return nil, fmt.Errorf("rows error: %w", err)
+	}
+
+	if out == nil {
+		out = []ChannelInfoFull{}
+	}
+
+	return out, nil
+}
+
+// GetChannelCreatedAt returns the creation time of a
+// channel.
+func (database *Database) GetChannelCreatedAt(
+	ctx context.Context,
+	channelID int64,
+) (time.Time, error) {
+	var createdAt time.Time
+
+	err := database.conn.QueryRowContext(
+		ctx,
+		"SELECT created_at FROM channels WHERE id = ?",
+		channelID,
+	).Scan(&createdAt)
+	if err != nil {
+		return time.Time{}, fmt.Errorf(
+			"get channel created_at: %w", err,
+		)
+	}
+
+	return createdAt, nil
+}
+
+// GetSessionCreatedAt returns the creation time of a
+// session.
+func (database *Database) GetSessionCreatedAt(
+	ctx context.Context,
+	sessionID int64,
+) (time.Time, error) {
+	var createdAt time.Time
+
+	err := database.conn.QueryRowContext(
+		ctx,
+		"SELECT created_at FROM sessions WHERE id = ?",
+		sessionID,
+	).Scan(&createdAt)
+	if err != nil {
+		return time.Time{}, fmt.Errorf(
+			"get session created_at: %w", err,
+		)
+	}
+
+	return createdAt, nil
+}
+
+// SetAway sets the away message for a session.
+// An empty message clears the away status.
+func (database *Database) SetAway(
+	ctx context.Context,
+	sessionID int64,
+	message string,
+) error {
+	_, err := database.conn.ExecContext(ctx,
+		"UPDATE sessions SET away_message = ? WHERE id = ?",
+		message, sessionID)
+	if err != nil {
+		return fmt.Errorf("set away: %w", err)
+	}
+
+	return nil
+}
+
+// GetAway returns the away message for a session.
+// Returns an empty string if the user is not away.
+func (database *Database) GetAway(
+	ctx context.Context,
+	sessionID int64,
+) (string, error) {
+	var msg string
+
+	err := database.conn.QueryRowContext(ctx,
+		"SELECT away_message FROM sessions WHERE id = ?",
+		sessionID,
+	).Scan(&msg)
+	if err != nil {
+		return "", fmt.Errorf("get away: %w", err)
+	}
+
+	return msg, nil
+}
+
+// SetTopicMeta sets the topic along with who set it and
+// when.
+func (database *Database) SetTopicMeta(
+	ctx context.Context,
+	channelName, topic, setBy string,
+) error {
+	now := time.Now()
+
+	_, err := database.conn.ExecContext(ctx,
+		`UPDATE channels
+		 SET topic = ?, topic_set_by = ?,
+		     topic_set_at = ?, updated_at = ?
+		 WHERE name = ?`,
+		topic, setBy, now, now, channelName)
+	if err != nil {
+		return fmt.Errorf("set topic meta: %w", err)
+	}
+
+	return nil
+}
+
+// TopicMeta holds topic metadata for a channel.
+type TopicMeta struct {
+	SetBy string
+	SetAt time.Time
+}
+
+// GetTopicMeta returns who set the topic and when.
+func (database *Database) GetTopicMeta(
+	ctx context.Context,
+	channelID int64,
+) (*TopicMeta, error) {
+	var (
+		setBy string
+		setAt sql.NullTime
+	)
+
+	err := database.conn.QueryRowContext(ctx,
+		`SELECT topic_set_by, topic_set_at
+		 FROM channels WHERE id = ?`,
+		channelID,
+	).Scan(&setBy, &setAt)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"get topic meta: %w", err,
+		)
+	}
+
+	if setBy == "" || !setAt.Valid {
+		return nil, nil //nolint:nilnil
+	}
+
+	return &TopicMeta{
+		SetBy: setBy,
+		SetAt: setAt.Time,
+	}, nil
+}
+
+// GetSessionLastSeen returns the last_seen time for a
+// session.
+func (database *Database) GetSessionLastSeen(
+	ctx context.Context,
+	sessionID int64,
+) (time.Time, error) {
+	var lastSeen time.Time
+
+	err := database.conn.QueryRowContext(ctx,
+		"SELECT last_seen FROM sessions WHERE id = ?",
+		sessionID,
+	).Scan(&lastSeen)
+	if err != nil {
+		return time.Time{}, fmt.Errorf(
+			"get session last_seen: %w", err,
+		)
+	}
+
+	return lastSeen, nil
+}
+
+// PruneOldQueueEntries deletes client output queue entries
+// older than cutoff and returns the number of rows removed.
+func (database *Database) PruneOldQueueEntries(
+	ctx context.Context,
+	cutoff time.Time,
+) (int64, error) {
+	res, err := database.conn.ExecContext(ctx,
+		"DELETE FROM client_queues WHERE created_at < ?",
+		cutoff,
+	)
+	if err != nil {
+		return 0, fmt.Errorf(
+			"prune old client output queue entries: %w", err,
+		)
+	}
+
+	deleted, _ := res.RowsAffected()
+
+	return deleted, nil
+}
+
+// PruneOldMessages deletes messages older than cutoff and
+// returns the number of rows removed.
+func (database *Database) PruneOldMessages(
+	ctx context.Context,
+	cutoff time.Time,
+) (int64, error) {
+	res, err := database.conn.ExecContext(ctx,
+		"DELETE FROM messages WHERE created_at < ?",
+		cutoff,
+	)
+	if err != nil {
+		return 0, fmt.Errorf(
+			"prune old messages: %w", err,
+		)
+	}
+
+	deleted, _ := res.RowsAffected()
+
+	return deleted, nil
+}
+
+// GetClientCount returns the total number of clients.
+func (database *Database) GetClientCount(
+	ctx context.Context,
+) (int64, error) {
+	var count int64
+
+	err := database.conn.QueryRowContext(
+		ctx,
+		"SELECT COUNT(*) FROM clients",
+	).Scan(&count)
+	if err != nil {
+		return 0, fmt.Errorf(
+			"get client count: %w", err,
+		)
+	}
+
+	return count, nil
+}
+
+// GetQueueEntryCount returns the total number of entries
+// in the client output queues.
+func (database *Database) GetQueueEntryCount(
+	ctx context.Context,
+) (int64, error) {
+	var count int64
+
+	err := database.conn.QueryRowContext(
+		ctx,
+		"SELECT COUNT(*) FROM client_queues",
+	).Scan(&count)
+	if err != nil {
+		return 0, fmt.Errorf(
+			"get queue entry count: %w", err,
+		)
+	}
+
+	return count, nil
+}

internal/db/queries_test.go

@@ -34,7 +34,7 @@ func TestCreateSession(t *testing.T) {
 	ctx := t.Context()
 
 	sessionID, _, token, err := database.CreateSession(
-		ctx, "alice",
+		ctx, "alice", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -45,7 +45,7 @@ func TestCreateSession(t *testing.T) {
 	}
 
 	_, _, dupToken, dupErr := database.CreateSession(
-		ctx, "alice",
+		ctx, "alice", "", "", "",
 	)
 	if dupErr == nil {
 		t.Fatal("expected error for duplicate nick")
@@ -54,13 +54,249 @@ func TestCreateSession(t *testing.T) {
 	_ = dupToken
 }
 
+// assertSessionHostInfo creates a session and verifies
+// the stored username and hostname match expectations.
+func assertSessionHostInfo(
+	t *testing.T,
+	database *db.Database,
+	nick, inputUser, inputHost,
+	expectUser, expectHost string,
+) {
+	t.Helper()
+
+	sessionID, _, _, err := database.CreateSession(
+		t.Context(), nick, inputUser, inputHost, "",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	info, err := database.GetSessionHostInfo(
+		t.Context(), sessionID,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if info.Username != expectUser {
+		t.Fatalf(
+			"expected username %s, got %s",
+			expectUser, info.Username,
+		)
+	}
+
+	if info.Hostname != expectHost {
+		t.Fatalf(
+			"expected hostname %s, got %s",
+			expectHost, info.Hostname,
+		)
+	}
+}
+
+func TestCreateSessionWithUserHost(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+
+	assertSessionHostInfo(
+		t, database,
+		"hostuser", "myident", "example.com",
+		"myident", "example.com",
+	)
+}
+
+func TestCreateSessionDefaultUsername(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+
+	// Empty username defaults to nick.
+	assertSessionHostInfo(
+		t, database,
+		"defaultu", "", "host.local",
+		"defaultu", "host.local",
+	)
+}
+
+func TestCreateSessionStoresIP(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sessionID, clientID, _, err := database.CreateSession(
+		ctx, "ipuser", "ident", "host.example.com",
+		"192.168.1.42",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	info, err := database.GetSessionHostInfo(
+		ctx, sessionID,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if info.IP != "192.168.1.42" {
+		t.Fatalf(
+			"expected session IP 192.168.1.42, got %s",
+			info.IP,
+		)
+	}
+
+	clientInfo, err := database.GetClientHostInfo(
+		ctx, clientID,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if clientInfo.IP != "192.168.1.42" {
+		t.Fatalf(
+			"expected client IP 192.168.1.42, got %s",
+			clientInfo.IP,
+		)
+	}
+
+	if clientInfo.Hostname != "host.example.com" {
+		t.Fatalf(
+			"expected client hostname host.example.com, got %s",
+			clientInfo.Hostname,
+		)
+	}
+}
+
+func TestGetClientHostInfoNotFound(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+
+	_, err := database.GetClientHostInfo(
+		t.Context(), 99999,
+	)
+	if err == nil {
+		t.Fatal("expected error for nonexistent client")
+	}
+}
+
+func TestGetSessionHostInfoNotFound(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+
+	_, err := database.GetSessionHostInfo(
+		t.Context(), 99999,
+	)
+	if err == nil {
+		t.Fatal("expected error for nonexistent session")
+	}
+}
+
+func TestFormatHostmask(t *testing.T) {
+	t.Parallel()
+
+	result := db.FormatHostmask(
+		"nick", "user", "host.com",
+	)
+	if result != "nick!user@host.com" {
+		t.Fatalf(
+			"expected nick!user@host.com, got %s",
+			result,
+		)
+	}
+}
+
+func TestFormatHostmaskDefaults(t *testing.T) {
+	t.Parallel()
+
+	result := db.FormatHostmask("nick", "", "")
+	if result != "nick!nick@*" {
+		t.Fatalf(
+			"expected nick!nick@*, got %s",
+			result,
+		)
+	}
+}
+
+func TestMemberInfoHostmask(t *testing.T) {
+	t.Parallel()
+
+	member := &db.MemberInfo{ //nolint:exhaustruct // test only uses hostmask fields
+		Nick:     "alice",
+		Username: "aliceident",
+		Hostname: "alice.example.com",
+	}
+
+	hostmask := member.Hostmask()
+	expected := "alice!aliceident@alice.example.com"
+
+	if hostmask != expected {
+		t.Fatalf(
+			"expected %s, got %s", expected, hostmask,
+		)
+	}
+}
+
+func TestChannelMembersIncludeUserHost(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sid, _, _, err := database.CreateSession(
+		ctx, "memuser", "myuser", "myhost.net", "",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	chID, err := database.GetOrCreateChannel(
+		ctx, "#hostchan",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = database.JoinChannel(ctx, chID, sid)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	members, err := database.ChannelMembers(ctx, chID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(members) != 1 {
+		t.Fatalf(
+			"expected 1 member, got %d", len(members),
+		)
+	}
+
+	if members[0].Username != "myuser" {
+		t.Fatalf(
+			"expected username myuser, got %s",
+			members[0].Username,
+		)
+	}
+
+	if members[0].Hostname != "myhost.net" {
+		t.Fatalf(
+			"expected hostname myhost.net, got %s",
+			members[0].Hostname,
+		)
+	}
+}
+
 func TestGetSessionByToken(t *testing.T) {
 	t.Parallel()
 
 	database := setupTestDB(t)
 	ctx := t.Context()
 
-	_, _, token, err := database.CreateSession(ctx, "bob")
+	_, _, token, err := database.CreateSession(ctx, "bob", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -93,7 +329,7 @@ func TestGetSessionByNick(t *testing.T) {
 	ctx := t.Context()
 
 	charlieID, charlieClientID, charlieToken, err :=
-		database.CreateSession(ctx, "charlie")
+		database.CreateSession(ctx, "charlie", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -150,7 +386,7 @@ func TestJoinAndPart(t *testing.T) {
 	database := setupTestDB(t)
 	ctx := t.Context()
 
-	sid, _, _, err := database.CreateSession(ctx, "user1")
+	sid, _, _, err := database.CreateSession(ctx, "user1", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -199,7 +435,7 @@ func TestDeleteChannelIfEmpty(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	sid, _, _, err := database.CreateSession(ctx, "temp")
+	sid, _, _, err := database.CreateSession(ctx, "temp", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -234,7 +470,7 @@ func createSessionWithChannels(
 
 	ctx := t.Context()
 
-	sid, _, _, err := database.CreateSession(ctx, nick)
+	sid, _, _, err := database.CreateSession(ctx, nick, "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -317,7 +553,7 @@ func TestChangeNick(t *testing.T) {
 	ctx := t.Context()
 
 	sid, _, token, err := database.CreateSession(
-		ctx, "old",
+		ctx, "old", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -383,7 +619,7 @@ func TestInsertMessage(t *testing.T) {
 	body := json.RawMessage(`["hello"]`)
 
 	dbID, msgUUID, err := database.InsertMessage(
-		ctx, "PRIVMSG", "poller", "#test", body, nil,
+		ctx, "PRIVMSG", "poller", "#test", nil, body, nil,
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -401,7 +637,7 @@ func TestPollMessages(t *testing.T) {
 	ctx := t.Context()
 
 	sid, _, token, err := database.CreateSession(
-		ctx, "poller",
+		ctx, "poller", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -417,7 +653,7 @@ func TestPollMessages(t *testing.T) {
 	body := json.RawMessage(`["hello"]`)
 
 	dbID, _, err := database.InsertMessage(
-		ctx, "PRIVMSG", "poller", "#test", body, nil,
+		ctx, "PRIVMSG", "poller", "#test", nil, body, nil,
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -475,7 +711,7 @@ func TestGetHistory(t *testing.T) {
 	for range msgCount {
 		_, _, err := database.InsertMessage(
 			ctx, "PRIVMSG", "user", "#hist",
-			json.RawMessage(`["msg"]`), nil,
+			nil, json.RawMessage(`["msg"]`), nil,
 		)
 		if err != nil {
 			t.Fatal(err)
@@ -508,7 +744,7 @@ func TestDeleteSession(t *testing.T) {
 	ctx := t.Context()
 
 	sid, _, _, err := database.CreateSession(
-		ctx, "deleteme",
+		ctx, "deleteme", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -548,12 +784,12 @@ func TestChannelMembers(t *testing.T) {
 	database := setupTestDB(t)
 	ctx := t.Context()
 
-	sid1, _, _, err := database.CreateSession(ctx, "m1")
+	sid1, _, _, err := database.CreateSession(ctx, "m1", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	sid2, _, _, err := database.CreateSession(ctx, "m2")
+	sid2, _, _, err := database.CreateSession(ctx, "m2", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -611,7 +847,7 @@ func TestEnqueueToClient(t *testing.T) {
 	ctx := t.Context()
 
 	_, _, token, err := database.CreateSession(
-		ctx, "enqclient",
+		ctx, "enqclient", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -627,7 +863,7 @@ func TestEnqueueToClient(t *testing.T) {
 	body := json.RawMessage(`["test"]`)
 
 	dbID, _, err := database.InsertMessage(
-		ctx, "PRIVMSG", "sender", "#ch", body, nil,
+		ctx, "PRIVMSG", "sender", "#ch", nil, body, nil,
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -651,3 +887,133 @@ func TestEnqueueToClient(t *testing.T) {
 		t.Fatalf("expected 1, got %d", len(msgs))
 	}
 }
+
+func TestSetAndCheckSessionOper(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sessionID, _, _, err := database.CreateSession(
+		ctx, "opernick", "", "", "",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Initially not oper.
+	isOper, err := database.IsSessionOper(ctx, sessionID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if isOper {
+		t.Fatal("expected session not to be oper")
+	}
+
+	// Set oper.
+	err = database.SetSessionOper(ctx, sessionID, true)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	isOper, err = database.IsSessionOper(ctx, sessionID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if !isOper {
+		t.Fatal("expected session to be oper")
+	}
+
+	// Unset oper.
+	err = database.SetSessionOper(ctx, sessionID, false)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	isOper, err = database.IsSessionOper(ctx, sessionID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if isOper {
+		t.Fatal("expected session not to be oper")
+	}
+}
+
+func TestGetLatestClientForSession(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sessionID, _, _, err := database.CreateSession(
+		ctx, "clientnick", "", "", "10.0.0.1",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	clientInfo, err := database.GetLatestClientForSession(
+		ctx, sessionID,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if clientInfo.IP != "10.0.0.1" {
+		t.Fatalf(
+			"expected IP 10.0.0.1, got %s",
+			clientInfo.IP,
+		)
+	}
+}
+
+func TestGetOperCount(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	// Create two sessions.
+	sid1, _, _, err := database.CreateSession(
+		ctx, "user1", "", "", "",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	sid2, _, _, err := database.CreateSession(
+		ctx, "user2", "", "", "",
+	)
+	_ = sid2
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Initially zero opers.
+	count, err := database.GetOperCount(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if count != 0 {
+		t.Fatalf("expected 0 opers, got %d", count)
+	}
+
+	// Set one as oper.
+	err = database.SetSessionOper(ctx, sid1, true)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	count, err = database.GetOperCount(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if count != 1 {
+		t.Fatalf("expected 1 oper, got %d", count)
+	}
+}

internal/db/schema/001_initial.sql

@@ -6,8 +6,13 @@ CREATE TABLE IF NOT EXISTS sessions (
     id INTEGER PRIMARY KEY AUTOINCREMENT,
     uuid TEXT NOT NULL UNIQUE,
     nick TEXT NOT NULL UNIQUE,
+    username TEXT NOT NULL DEFAULT '',
+    hostname TEXT NOT NULL DEFAULT '',
+    ip TEXT NOT NULL DEFAULT '',
+    is_oper INTEGER NOT NULL DEFAULT 0,
     password_hash TEXT NOT NULL DEFAULT '',
     signing_key TEXT NOT NULL DEFAULT '',
+    away_message TEXT NOT NULL DEFAULT '',
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
     last_seen DATETIME DEFAULT CURRENT_TIMESTAMP
 );
@@ -19,6 +24,8 @@ CREATE TABLE IF NOT EXISTS clients (
     uuid TEXT NOT NULL UNIQUE,
     session_id INTEGER NOT NULL REFERENCES sessions(id) ON DELETE CASCADE,
     token TEXT NOT NULL UNIQUE,
+    ip TEXT NOT NULL DEFAULT '',
+    hostname TEXT NOT NULL DEFAULT '',
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
     last_seen DATETIME DEFAULT CURRENT_TIMESTAMP
 );
@@ -30,6 +37,8 @@ CREATE TABLE IF NOT EXISTS channels (
     id INTEGER PRIMARY KEY AUTOINCREMENT,
     name TEXT NOT NULL UNIQUE,
     topic TEXT NOT NULL DEFAULT '',
+    topic_set_by TEXT NOT NULL DEFAULT '',
+    topic_set_at DATETIME,
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
     updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
 );
@@ -50,6 +59,7 @@ CREATE TABLE IF NOT EXISTS messages (
     command TEXT NOT NULL DEFAULT 'PRIVMSG',
     msg_from TEXT NOT NULL DEFAULT '',
     msg_to TEXT NOT NULL DEFAULT '',
+    params TEXT NOT NULL DEFAULT '[]',
     body TEXT NOT NULL DEFAULT '[]',
     meta TEXT NOT NULL DEFAULT '{}',
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP

internal/globals/globals.go

@@ -2,6 +2,8 @@
 package globals
 
 import (
+	"time"
+
 	"go.uber.org/fx"
 )
 
@@ -17,14 +19,16 @@ var (
 type Globals struct {
 	Appname   string
 	Version   string
+	StartTime time.Time
 }
 
 // New creates a new Globals instance from the global state.
 func New(_ fx.Lifecycle) (*Globals, error) {
-	n := &Globals{
+	result := &Globals{
 		Appname:   Appname,
 		Version:   Version,
+		StartTime: time.Now(),
 	}
 
-	return n, nil
+	return result, nil
 }

internal/handlers/auth.go

@@ -4,6 +4,8 @@ import (
 	"encoding/json"
 	"net/http"
 	"strings"
+
+	"git.eeqj.de/sneak/neoirc/internal/db"
 )
 
 const minPasswordLength = 8
@@ -28,6 +30,7 @@ func (hdlr *Handlers) handleRegister(
 ) {
 	type registerRequest struct {
 		Nick     string `json:"nick"`
+		Username string `json:"username,omitempty"`
 		Password string `json:"password"`
 	}
 
@@ -56,6 +59,20 @@ func (hdlr *Handlers) handleRegister(
 		return
 	}
 
+	username := resolveUsername(
+		payload.Username, payload.Nick,
+	)
+
+	if !validUsernameRe.MatchString(username) {
+		hdlr.respondError(
+			writer, request,
+			"invalid username format",
+			http.StatusBadRequest,
+		)
+
+		return
+	}
+
 	if len(payload.Password) < minPasswordLength {
 		hdlr.respondError(
 			writer, request,
@@ -66,11 +83,27 @@ func (hdlr *Handlers) handleRegister(
 		return
 	}
 
+	hdlr.executeRegister(
+		writer, request,
+		payload.Nick, payload.Password, username,
+	)
+}
+
+func (hdlr *Handlers) executeRegister(
+	writer http.ResponseWriter,
+	request *http.Request,
+	nick, password, username string,
+) {
+	remoteIP := clientIP(request)
+
+	hostname := resolveHostname(
+		request.Context(), remoteIP,
+	)
+
 	sessionID, clientID, token, err :=
 		hdlr.params.Database.RegisterUser(
 			request.Context(),
-			payload.Nick,
+			nick, password, username, hostname, remoteIP,
-			payload.Password,
 		)
 	if err != nil {
 		hdlr.handleRegisterError(
@@ -80,11 +113,14 @@ func (hdlr *Handlers) handleRegister(
 		return
 	}
 
-	hdlr.deliverMOTD(request, clientID, sessionID)
+	hdlr.stats.IncrSessions()
+	hdlr.stats.IncrConnections()
+
+	hdlr.deliverMOTD(request, clientID, sessionID, nick)
 
 	hdlr.respondJSON(writer, request, map[string]any{
 		"id":    sessionID,
-		"nick":  payload.Nick,
+		"nick":  nick,
 		"token": token,
 	}, http.StatusCreated)
 }
@@ -94,7 +130,7 @@ func (hdlr *Handlers) handleRegisterError(
 	request *http.Request,
 	err error,
 ) {
-	if strings.Contains(err.Error(), "UNIQUE") {
+	if db.IsUniqueConstraintError(err) {
 		hdlr.respondError(
 			writer, request,
 			"nick already taken",
@@ -162,11 +198,18 @@ func (hdlr *Handlers) handleLogin(
 		return
 	}
 
-	sessionID, _, token, err :=
+	remoteIP := clientIP(request)
+
+	hostname := resolveHostname(
+		request.Context(), remoteIP,
+	)
+
+	sessionID, clientID, token, err :=
 		hdlr.params.Database.LoginUser(
 			request.Context(),
 			payload.Nick,
 			payload.Password,
+			remoteIP, hostname,
 		)
 	if err != nil {
 		hdlr.respondError(
@@ -178,6 +221,18 @@ func (hdlr *Handlers) handleLogin(
 		return
 	}
 
+	hdlr.stats.IncrConnections()
+
+	hdlr.deliverMOTD(
+		request, clientID, sessionID, payload.Nick,
+	)
+
+	// Initialize channel state so the new client knows
+	// which channels the session already belongs to.
+	hdlr.initChannelState(
+		request, clientID, sessionID, payload.Nick,
+	)
+
 	hdlr.respondJSON(writer, request, map[string]any{
 		"id":    sessionID,
 		"nick":  payload.Nick,

internal/handlers/handlers.go

@@ -13,8 +13,10 @@ import (
 	"git.eeqj.de/sneak/neoirc/internal/config"
 	"git.eeqj.de/sneak/neoirc/internal/db"
 	"git.eeqj.de/sneak/neoirc/internal/globals"
+	"git.eeqj.de/sneak/neoirc/internal/hashcash"
 	"git.eeqj.de/sneak/neoirc/internal/healthcheck"
 	"git.eeqj.de/sneak/neoirc/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/stats"
 	"go.uber.org/fx"
 )
 
@@ -29,9 +31,10 @@ type Params struct {
 	Config      *config.Config
 	Database    *db.Database
 	Healthcheck *healthcheck.Healthcheck
+	Stats       *stats.Tracker
 }
 
-const defaultIdleTimeout = 24 * time.Hour
+const defaultIdleTimeout = 30 * 24 * time.Hour
 
 // Handlers manages HTTP request handling.
 type Handlers struct {
@@ -39,6 +42,8 @@ type Handlers struct {
 	log           *slog.Logger
 	hc            *healthcheck.Healthcheck
 	broker        *broker.Broker
+	hashcashVal   *hashcash.Validator
+	stats         *stats.Tracker
 	cancelCleanup context.CancelFunc
 }
 
@@ -47,11 +52,18 @@ func New(
 	lifecycle fx.Lifecycle,
 	params Params,
 ) (*Handlers, error) {
+	resource := params.Config.ServerName
+	if resource == "" {
+		resource = "neoirc"
+	}
+
 	hdlr := &Handlers{ //nolint:exhaustruct // cancelCleanup set in startCleanup
 		params:      &params,
 		log:         params.Logger.Get(),
 		hc:          params.Healthcheck,
 		broker:      broker.New(),
+		hashcashVal: hashcash.NewValidator(resource),
+		stats:       params.Stats,
 	}
 
 	lifecycle.Append(fx.Hook{
@@ -200,4 +212,77 @@ func (hdlr *Handlers) runCleanup(
 			"deleted", deleted,
 		)
 	}
+
+	hdlr.pruneQueuesAndMessages(ctx)
+}
+
+// parseDurationConfig parses a Go duration string,
+// returning zero on empty input and logging on error.
+func (hdlr *Handlers) parseDurationConfig(
+	name, raw string,
+) time.Duration {
+	if raw == "" {
+		return 0
+	}
+
+	dur, err := time.ParseDuration(raw)
+	if err != nil {
+		hdlr.log.Error(
+			"invalid duration config, skipping",
+			"name", name, "value", raw, "error", err,
+		)
+
+		return 0
+	}
+
+	return dur
+}
+
+// pruneQueuesAndMessages removes old client output queue
+// entries per QUEUE_MAX_AGE and old messages per
+// MESSAGE_MAX_AGE.
+func (hdlr *Handlers) pruneQueuesAndMessages(
+	ctx context.Context,
+) {
+	queueMaxAge := hdlr.parseDurationConfig(
+		"QUEUE_MAX_AGE",
+		hdlr.params.Config.QueueMaxAge,
+	)
+	if queueMaxAge > 0 {
+		queueCutoff := time.Now().Add(-queueMaxAge)
+
+		pruned, err := hdlr.params.Database.
+			PruneOldQueueEntries(ctx, queueCutoff)
+		if err != nil {
+			hdlr.log.Error(
+				"client output queue pruning failed", "error", err,
+			)
+		} else if pruned > 0 {
+			hdlr.log.Info(
+				"pruned old client output queue entries",
+				"deleted", pruned,
+			)
+		}
+	}
+
+	messageMaxAge := hdlr.parseDurationConfig(
+		"MESSAGE_MAX_AGE",
+		hdlr.params.Config.MessageMaxAge,
+	)
+	if messageMaxAge > 0 {
+		msgCutoff := time.Now().Add(-messageMaxAge)
+
+		pruned, err := hdlr.params.Database.
+			PruneOldMessages(ctx, msgCutoff)
+		if err != nil {
+			hdlr.log.Error(
+				"message pruning failed", "error", err,
+			)
+		} else if pruned > 0 {
+			hdlr.log.Info(
+				"pruned old messages",
+				"deleted", pruned,
+			)
+		}
+	}
 }

internal/handlers/healthcheck.go

@@ -12,7 +12,7 @@ func (hdlr *Handlers) HandleHealthCheck() http.HandlerFunc {
 		writer http.ResponseWriter,
 		request *http.Request,
 	) {
-		resp := hdlr.hc.Healthcheck()
+		resp := hdlr.hc.Healthcheck(request.Context())
 		hdlr.respondJSON(writer, request, resp, httpStatusOK)
 	}
 }

internal/hashcash/hashcash.go

@@ -0,0 +1,277 @@
+// Package hashcash implements SHA-256-based hashcash
+// proof-of-work validation for abuse prevention.
+//
+// Stamp format: 1:bits:YYMMDD:resource::counter.
+//
+// The SHA-256 hash of the entire stamp string must have
+// at least `bits` leading zero bits.
+package hashcash
+
+import (
+	"crypto/sha256"
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+)
+
+const (
+	// stampVersion is the only supported hashcash version.
+	stampVersion = "1"
+	// stampFields is the number of fields in a stamp.
+	stampFields = 6
+	// maxStampAge is how old a stamp can be before
+	// rejection.
+	maxStampAge = 48 * time.Hour
+	// maxFutureSkew allows stamps slightly in the future.
+	maxFutureSkew = 1 * time.Hour
+	// pruneInterval controls how often expired stamps are
+	// removed from the spent set.
+	pruneInterval = 10 * time.Minute
+	// dateFormatShort is the YYMMDD date layout.
+	dateFormatShort = "060102"
+	// dateFormatLong is the YYMMDDHHMMSS date layout.
+	dateFormatLong = "060102150405"
+	// dateShortLen is the length of YYMMDD.
+	dateShortLen = 6
+	// dateLongLen is the length of YYMMDDHHMMSS.
+	dateLongLen = 12
+	// bitsPerByte is the number of bits in a byte.
+	bitsPerByte = 8
+	// fullByteMask is 0xFF, a mask for all bits in a byte.
+	fullByteMask = 0xFF
+)
+
+var (
+	errInvalidFields    = errors.New("invalid stamp field count")
+	errBadVersion       = errors.New("unsupported stamp version")
+	errInsufficientBits = errors.New("insufficient difficulty")
+	errWrongResource    = errors.New("wrong resource")
+	errStampExpired     = errors.New("stamp expired")
+	errStampFuture      = errors.New("stamp date in future")
+	errProofFailed      = errors.New("proof-of-work failed")
+	errStampReused      = errors.New("stamp already used")
+	errBadDateFormat    = errors.New("unrecognized date format")
+)
+
+// Validator checks hashcash stamps for validity and
+// prevents replay attacks via an in-memory spent set.
+type Validator struct {
+	resource string
+	mu       sync.Mutex
+	spent    map[string]time.Time
+}
+
+// NewValidator creates a Validator for the given resource.
+func NewValidator(resource string) *Validator {
+	validator := &Validator{
+		resource: resource,
+		mu:       sync.Mutex{},
+		spent:    make(map[string]time.Time),
+	}
+
+	go validator.pruneLoop()
+
+	return validator
+}
+
+// Validate checks a hashcash stamp. It returns nil if the
+// stamp is valid and has not been seen before.
+func (v *Validator) Validate(
+	stamp string,
+	requiredBits int,
+) error {
+	if requiredBits <= 0 {
+		return nil
+	}
+
+	parts := strings.Split(stamp, ":")
+	if len(parts) != stampFields {
+		return fmt.Errorf(
+			"%w: expected %d, got %d",
+			errInvalidFields, stampFields, len(parts),
+		)
+	}
+
+	version := parts[0]
+	bitsStr := parts[1]
+	dateStr := parts[2]
+	resource := parts[3]
+
+	if err := v.validateHeader(
+		version, bitsStr, resource, requiredBits,
+	); err != nil {
+		return err
+	}
+
+	stampTime, err := parseStampDate(dateStr)
+	if err != nil {
+		return err
+	}
+
+	if err := validateTime(stampTime); err != nil {
+		return err
+	}
+
+	if err := validateProof(
+		stamp, requiredBits,
+	); err != nil {
+		return err
+	}
+
+	return v.checkAndRecordStamp(stamp, stampTime)
+}
+
+func (v *Validator) validateHeader(
+	version, bitsStr, resource string,
+	requiredBits int,
+) error {
+	if version != stampVersion {
+		return fmt.Errorf(
+			"%w: %s", errBadVersion, version,
+		)
+	}
+
+	claimedBits, err := strconv.Atoi(bitsStr)
+	if err != nil || claimedBits < requiredBits {
+		return fmt.Errorf(
+			"%w: need %d bits",
+			errInsufficientBits, requiredBits,
+		)
+	}
+
+	if resource != v.resource {
+		return fmt.Errorf(
+			"%w: got %q, want %q",
+			errWrongResource, resource, v.resource,
+		)
+	}
+
+	return nil
+}
+
+func validateTime(stampTime time.Time) error {
+	now := time.Now()
+
+	if now.Sub(stampTime) > maxStampAge {
+		return errStampExpired
+	}
+
+	if stampTime.Sub(now) > maxFutureSkew {
+		return errStampFuture
+	}
+
+	return nil
+}
+
+func validateProof(stamp string, requiredBits int) error {
+	hash := sha256.Sum256([]byte(stamp))
+	if !hasLeadingZeroBits(hash[:], requiredBits) {
+		return fmt.Errorf(
+			"%w: need %d leading zero bits",
+			errProofFailed, requiredBits,
+		)
+	}
+
+	return nil
+}
+
+func (v *Validator) checkAndRecordStamp(
+	stamp string,
+	stampTime time.Time,
+) error {
+	v.mu.Lock()
+	defer v.mu.Unlock()
+
+	if _, ok := v.spent[stamp]; ok {
+		return errStampReused
+	}
+
+	v.spent[stamp] = stampTime
+
+	return nil
+}
+
+// hasLeadingZeroBits checks if the hash has at least n
+// leading zero bits.
+func hasLeadingZeroBits(hash []byte, numBits int) bool {
+	fullBytes := numBits / bitsPerByte
+	remainBits := numBits % bitsPerByte
+
+	for idx := range fullBytes {
+		if hash[idx] != 0 {
+			return false
+		}
+	}
+
+	if remainBits > 0 && fullBytes < len(hash) {
+		mask := byte(
+			fullByteMask << (bitsPerByte - remainBits),
+		)
+
+		if hash[fullBytes]&mask != 0 {
+			return false
+		}
+	}
+
+	return true
+}
+
+// parseStampDate parses a hashcash date stamp.
+// Supports YYMMDD and YYMMDDHHMMSS formats.
+func parseStampDate(dateStr string) (time.Time, error) {
+	switch len(dateStr) {
+	case dateShortLen:
+		parsed, err := time.Parse(
+			dateFormatShort, dateStr,
+		)
+		if err != nil {
+			return time.Time{}, fmt.Errorf(
+				"parse date: %w", err,
+			)
+		}
+
+		return parsed, nil
+	case dateLongLen:
+		parsed, err := time.Parse(
+			dateFormatLong, dateStr,
+		)
+		if err != nil {
+			return time.Time{}, fmt.Errorf(
+				"parse date: %w", err,
+			)
+		}
+
+		return parsed, nil
+	default:
+		return time.Time{}, fmt.Errorf(
+			"%w: %q", errBadDateFormat, dateStr,
+		)
+	}
+}
+
+// pruneLoop periodically removes expired stamps from the
+// spent set.
+func (v *Validator) pruneLoop() {
+	ticker := time.NewTicker(pruneInterval)
+	defer ticker.Stop()
+
+	for range ticker.C {
+		v.prune()
+	}
+}
+
+func (v *Validator) prune() {
+	cutoff := time.Now().Add(-maxStampAge)
+
+	v.mu.Lock()
+	defer v.mu.Unlock()
+
+	for stamp, stampTime := range v.spent {
+		if stampTime.Before(cutoff) {
+			delete(v.spent, stamp)
+		}
+	}
+}

internal/hashcash/hashcash_test.go

@@ -0,0 +1,261 @@
+package hashcash_test
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"math/big"
+	"testing"
+	"time"
+
+	"git.eeqj.de/sneak/neoirc/internal/hashcash"
+)
+
+const testBits = 2
+
+// mintStampWithDate creates a valid hashcash stamp using
+// the given date string.
+func mintStampWithDate(
+	tb testing.TB,
+	bits int,
+	resource string,
+	date string,
+) string {
+	tb.Helper()
+
+	prefix := fmt.Sprintf(
+		"1:%d:%s:%s::", bits, date, resource,
+	)
+
+	for {
+		counterVal, err := rand.Int(
+			rand.Reader, big.NewInt(1<<48),
+		)
+		if err != nil {
+			tb.Fatalf("random counter: %v", err)
+		}
+
+		stamp := prefix + hex.EncodeToString(
+			counterVal.Bytes(),
+		)
+		hash := sha256.Sum256([]byte(stamp))
+
+		if hasLeadingZeroBits(hash[:], bits) {
+			return stamp
+		}
+	}
+}
+
+// hasLeadingZeroBits checks if hash has at least numBits
+// leading zero bits. Duplicated here for test minting.
+func hasLeadingZeroBits(
+	hash []byte,
+	numBits int,
+) bool {
+	fullBytes := numBits / 8
+	remainBits := numBits % 8
+
+	for idx := range fullBytes {
+		if hash[idx] != 0 {
+			return false
+		}
+	}
+
+	if remainBits > 0 && fullBytes < len(hash) {
+		mask := byte(0xFF << (8 - remainBits))
+
+		if hash[fullBytes]&mask != 0 {
+			return false
+		}
+	}
+
+	return true
+}
+
+func todayDate() string {
+	return time.Now().UTC().Format("060102")
+}
+
+func TestMintAndValidate(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+	stamp := mintStampWithDate(
+		t, testBits, "test-resource", todayDate(),
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err != nil {
+		t.Fatalf("valid stamp rejected: %v", err)
+	}
+}
+
+func TestReplayDetection(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+	stamp := mintStampWithDate(
+		t, testBits, "test-resource", todayDate(),
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err != nil {
+		t.Fatalf("first use failed: %v", err)
+	}
+
+	err = validator.Validate(stamp, testBits)
+	if err == nil {
+		t.Fatal("replay not detected")
+	}
+}
+
+func TestResourceMismatch(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("correct-resource")
+	stamp := mintStampWithDate(
+		t, testBits, "wrong-resource", todayDate(),
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err == nil {
+		t.Fatal("expected resource mismatch error")
+	}
+}
+
+func TestInvalidStampFormat(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+
+	err := validator.Validate(
+		"not:a:valid:stamp", testBits,
+	)
+	if err == nil {
+		t.Fatal("expected error for bad format")
+	}
+}
+
+func TestBadVersion(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+	stamp := fmt.Sprintf(
+		"2:%d:%s:%s::abc123",
+		testBits, todayDate(), "test-resource",
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err == nil {
+		t.Fatal("expected bad version error")
+	}
+}
+
+func TestInsufficientDifficulty(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+	// Claimed bits=1, but we require testBits=2.
+	stamp := fmt.Sprintf(
+		"1:1:%s:%s::counter",
+		todayDate(), "test-resource",
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err == nil {
+		t.Fatal("expected insufficient bits error")
+	}
+}
+
+func TestExpiredStamp(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+	oldDate := time.Now().Add(-72 * time.Hour).
+		UTC().Format("060102")
+	stamp := mintStampWithDate(
+		t, testBits, "test-resource", oldDate,
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err == nil {
+		t.Fatal("expected expired stamp error")
+	}
+}
+
+func TestZeroBitsSkipsValidation(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+
+	err := validator.Validate("garbage", 0)
+	if err != nil {
+		t.Fatalf("zero bits should skip: %v", err)
+	}
+}
+
+func TestLongDateFormat(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+	longDate := time.Now().UTC().Format("060102150405")
+	stamp := mintStampWithDate(
+		t, testBits, "test-resource", longDate,
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err != nil {
+		t.Fatalf("long date stamp rejected: %v", err)
+	}
+}
+
+func TestBadDateFormat(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+	stamp := fmt.Sprintf(
+		"1:%d:BADDATE:%s::counter",
+		testBits, "test-resource",
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err == nil {
+		t.Fatal("expected bad date error")
+	}
+}
+
+func TestMultipleUniqueStamps(t *testing.T) {
+	t.Parallel()
+
+	validator := hashcash.NewValidator("test-resource")
+
+	for range 5 {
+		stamp := mintStampWithDate(
+			t, testBits, "test-resource", todayDate(),
+		)
+
+		err := validator.Validate(stamp, testBits)
+		if err != nil {
+			t.Fatalf("unique stamp rejected: %v", err)
+		}
+	}
+}
+
+func TestHigherBitsStillValid(t *testing.T) {
+	t.Parallel()
+
+	// Mint with bits=4 but validate requiring only 2.
+	validator := hashcash.NewValidator("test-resource")
+	stamp := mintStampWithDate(
+		t, 4, "test-resource", todayDate(),
+	)
+
+	err := validator.Validate(stamp, testBits)
+	if err != nil {
+		t.Fatalf(
+			"higher-difficulty stamp rejected: %v",
+			err,
+		)
+	}
+}

internal/healthcheck/healthcheck.go

@@ -10,6 +10,7 @@ import (
 	"git.eeqj.de/sneak/neoirc/internal/db"
 	"git.eeqj.de/sneak/neoirc/internal/globals"
 	"git.eeqj.de/sneak/neoirc/internal/logger"
+	"git.eeqj.de/sneak/neoirc/internal/stats"
 	"go.uber.org/fx"
 )
 
@@ -21,6 +22,7 @@ type Params struct {
 	Config   *config.Config
 	Logger   *logger.Logger
 	Database *db.Database
+	Stats    *stats.Tracker
 }
 
 // Healthcheck tracks server uptime and provides health status.
@@ -64,11 +66,22 @@ type Response struct {
 	Version       string `json:"version"`
 	Appname       string `json:"appname"`
 	Maintenance   bool   `json:"maintenanceMode"`
+
+	// Runtime statistics.
+	Sessions             int64 `json:"sessions"`
+	Clients              int64 `json:"clients"`
+	QueuedLines          int64 `json:"queuedLines"`
+	Channels             int64 `json:"channels"`
+	ConnectionsSinceBoot int64 `json:"connectionsSinceBoot"`
+	SessionsSinceBoot    int64 `json:"sessionsSinceBoot"`
+	MessagesSinceBoot    int64 `json:"messagesSinceBoot"`
 }
 
 // Healthcheck returns the current health status of the server.
-func (hcheck *Healthcheck) Healthcheck() *Response {
+func (hcheck *Healthcheck) Healthcheck(
-	return &Response{
+	ctx context.Context,
+) *Response {
+	resp := &Response{
 		Status:        "ok",
 		Now:           time.Now().UTC().Format(time.RFC3339Nano),
 		UptimeSeconds: int64(hcheck.uptime().Seconds()),
@@ -76,6 +89,64 @@ func (hcheck *Healthcheck) Healthcheck() *Response {
 		Appname:       hcheck.params.Globals.Appname,
 		Version:       hcheck.params.Globals.Version,
 		Maintenance:   hcheck.params.Config.MaintenanceMode,
+
+		Sessions:             0,
+		Clients:              0,
+		QueuedLines:          0,
+		Channels:             0,
+		ConnectionsSinceBoot: hcheck.params.Stats.ConnectionsSinceBoot(),
+		SessionsSinceBoot:    hcheck.params.Stats.SessionsSinceBoot(),
+		MessagesSinceBoot:    hcheck.params.Stats.MessagesSinceBoot(),
+	}
+
+	hcheck.populateDBStats(ctx, resp)
+
+	return resp
+}
+
+// populateDBStats fills in database-derived counters.
+func (hcheck *Healthcheck) populateDBStats(
+	ctx context.Context,
+	resp *Response,
+) {
+	sessions, err := hcheck.params.Database.GetUserCount(ctx)
+	if err != nil {
+		hcheck.log.Error(
+			"healthcheck: session count failed",
+			"error", err,
+		)
+	} else {
+		resp.Sessions = sessions
+	}
+
+	clients, err := hcheck.params.Database.GetClientCount(ctx)
+	if err != nil {
+		hcheck.log.Error(
+			"healthcheck: client count failed",
+			"error", err,
+		)
+	} else {
+		resp.Clients = clients
+	}
+
+	queued, err := hcheck.params.Database.GetQueueEntryCount(ctx)
+	if err != nil {
+		hcheck.log.Error(
+			"healthcheck: queue entry count failed",
+			"error", err,
+		)
+	} else {
+		resp.QueuedLines = queued
+	}
+
+	channels, err := hcheck.params.Database.GetChannelCount(ctx)
+	if err != nil {
+		hcheck.log.Error(
+			"healthcheck: channel count failed",
+			"error", err,
+		)
+	} else {
+		resp.Channels = channels
 	}
 }
 

internal/middleware/middleware.go

@@ -11,7 +11,7 @@ import (
 	"git.eeqj.de/sneak/neoirc/internal/globals"
 	"git.eeqj.de/sneak/neoirc/internal/logger"
 	basicauth "github.com/99designs/basicauth-go"
-	chimw "github.com/go-chi/chi/middleware"
+	chimw "github.com/go-chi/chi/v5/middleware"
 	"github.com/go-chi/cors"
 	metrics "github.com/slok/go-http-metrics/metrics/prometheus"
 	ghmm "github.com/slok/go-http-metrics/middleware"
@@ -142,20 +142,6 @@ func (mware *Middleware) CORS() func(http.Handler) http.Handler {
 	})
 }
 
-// Auth returns middleware that performs authentication.
-func (mware *Middleware) Auth() func(http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(
-			func(
-				writer http.ResponseWriter,
-				request *http.Request,
-			) {
-				mware.log.Info("AUTH: before request")
-				next.ServeHTTP(writer, request)
-			})
-	}
-}
-
 // Metrics returns middleware that records HTTP metrics.
 func (mware *Middleware) Metrics() func(http.Handler) http.Handler {
 	metricsMiddleware := ghmm.New(ghmm.Config{ //nolint:exhaustruct // optional fields
@@ -180,3 +166,36 @@ func (mware *Middleware) MetricsAuth() func(http.Handler) http.Handler {
 		},
 	)
 }
+
+// cspPolicy is the Content-Security-Policy header value applied to all
+// responses.  The embedded SPA loads scripts and styles from same-origin
+// files only (no inline scripts or inline style attributes), so a strict
+// policy works without 'unsafe-inline'.
+const cspPolicy = "default-src 'self'; " +
+	"script-src 'self'; " +
+	"style-src 'self'; " +
+	"connect-src 'self'; " +
+	"img-src 'self'; " +
+	"font-src 'self'; " +
+	"object-src 'none'; " +
+	"frame-ancestors 'none'; " +
+	"base-uri 'self'; " +
+	"form-action 'self'"
+
+// CSP returns middleware that sets the Content-Security-Policy header on
+// every response for defense-in-depth against XSS.
+func (mware *Middleware) CSP() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(
+			func(
+				writer http.ResponseWriter,
+				request *http.Request,
+			) {
+				writer.Header().Set(
+					"Content-Security-Policy",
+					cspPolicy,
+				)
+				next.ServeHTTP(writer, request)
+			})
+	}
+}

internal/server/routes.go

@@ -8,8 +8,8 @@ import (
 	"git.eeqj.de/sneak/neoirc/web"
 
 	sentryhttp "github.com/getsentry/sentry-go/http"
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
-	"github.com/go-chi/chi/middleware"
+	"github.com/go-chi/chi/v5/middleware"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"github.com/spf13/viper"
 )
@@ -29,6 +29,7 @@ func (srv *Server) SetupRoutes() {
 	}
 
 	srv.router.Use(srv.mw.CORS())
+	srv.router.Use(srv.mw.CSP())
 	srv.router.Use(middleware.Timeout(routeTimeout))
 
 	if srv.sentryEnabled {

internal/server/server.go

@@ -20,7 +20,7 @@ import (
 	"go.uber.org/fx"
 
 	"github.com/getsentry/sentry-go"
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
 
 	_ "github.com/joho/godotenv/autoload" // loads .env file
 )

internal/stats/stats.go

@@ -0,0 +1,52 @@
+// Package stats tracks runtime statistics since server boot.
+package stats
+
+import (
+	"sync/atomic"
+)
+
+// Tracker holds atomic counters for runtime statistics
+// that accumulate since the server started.
+type Tracker struct {
+	connectionsSinceBoot atomic.Int64
+	sessionsSinceBoot    atomic.Int64
+	messagesSinceBoot    atomic.Int64
+}
+
+// New creates a new Tracker with all counters at zero.
+func New() *Tracker {
+	return &Tracker{} //nolint:exhaustruct // atomic fields have zero-value defaults
+}
+
+// IncrConnections increments the total connection count.
+func (t *Tracker) IncrConnections() {
+	t.connectionsSinceBoot.Add(1)
+}
+
+// IncrSessions increments the total session count.
+func (t *Tracker) IncrSessions() {
+	t.sessionsSinceBoot.Add(1)
+}
+
+// IncrMessages increments the total PRIVMSG/NOTICE count.
+func (t *Tracker) IncrMessages() {
+	t.messagesSinceBoot.Add(1)
+}
+
+// ConnectionsSinceBoot returns the total number of
+// client connections since boot.
+func (t *Tracker) ConnectionsSinceBoot() int64 {
+	return t.connectionsSinceBoot.Load()
+}
+
+// SessionsSinceBoot returns the total number of sessions
+// created since boot.
+func (t *Tracker) SessionsSinceBoot() int64 {
+	return t.sessionsSinceBoot.Load()
+}
+
+// MessagesSinceBoot returns the total number of
+// PRIVMSG/NOTICE messages sent since boot.
+func (t *Tracker) MessagesSinceBoot() int64 {
+	return t.messagesSinceBoot.Load()
+}

internal/stats/stats_test.go

@@ -0,0 +1,117 @@
+package stats_test
+
+import (
+	"testing"
+
+	"git.eeqj.de/sneak/neoirc/internal/stats"
+)
+
+func TestNew(t *testing.T) {
+	t.Parallel()
+
+	tracker := stats.New()
+	if tracker == nil {
+		t.Fatal("expected non-nil tracker")
+	}
+
+	if tracker.ConnectionsSinceBoot() != 0 {
+		t.Errorf(
+			"expected 0 connections, got %d",
+			tracker.ConnectionsSinceBoot(),
+		)
+	}
+
+	if tracker.SessionsSinceBoot() != 0 {
+		t.Errorf(
+			"expected 0 sessions, got %d",
+			tracker.SessionsSinceBoot(),
+		)
+	}
+
+	if tracker.MessagesSinceBoot() != 0 {
+		t.Errorf(
+			"expected 0 messages, got %d",
+			tracker.MessagesSinceBoot(),
+		)
+	}
+}
+
+func TestIncrConnections(t *testing.T) {
+	t.Parallel()
+
+	tracker := stats.New()
+
+	tracker.IncrConnections()
+	tracker.IncrConnections()
+	tracker.IncrConnections()
+
+	got := tracker.ConnectionsSinceBoot()
+	if got != 3 {
+		t.Errorf(
+			"expected 3 connections, got %d", got,
+		)
+	}
+}
+
+func TestIncrSessions(t *testing.T) {
+	t.Parallel()
+
+	tracker := stats.New()
+
+	tracker.IncrSessions()
+	tracker.IncrSessions()
+
+	got := tracker.SessionsSinceBoot()
+	if got != 2 {
+		t.Errorf(
+			"expected 2 sessions, got %d", got,
+		)
+	}
+}
+
+func TestIncrMessages(t *testing.T) {
+	t.Parallel()
+
+	tracker := stats.New()
+
+	tracker.IncrMessages()
+
+	got := tracker.MessagesSinceBoot()
+	if got != 1 {
+		t.Errorf(
+			"expected 1 message, got %d", got,
+		)
+	}
+}
+
+func TestCountersAreIndependent(t *testing.T) {
+	t.Parallel()
+
+	tracker := stats.New()
+
+	tracker.IncrConnections()
+	tracker.IncrSessions()
+	tracker.IncrMessages()
+	tracker.IncrMessages()
+
+	if tracker.ConnectionsSinceBoot() != 1 {
+		t.Errorf(
+			"expected 1 connection, got %d",
+			tracker.ConnectionsSinceBoot(),
+		)
+	}
+
+	if tracker.SessionsSinceBoot() != 1 {
+		t.Errorf(
+			"expected 1 session, got %d",
+			tracker.SessionsSinceBoot(),
+		)
+	}
+
+	if tracker.MessagesSinceBoot() != 2 {
+		t.Errorf(
+			"expected 2 messages, got %d",
+			tracker.MessagesSinceBoot(),
+		)
+	}
+}

pkg/irc/commands.go

@@ -0,0 +1,23 @@
+package irc
+
+// IRC command names (RFC 1459 / RFC 2812).
+const (
+	CmdAway    = "AWAY"
+	CmdJoin    = "JOIN"
+	CmdList    = "LIST"
+	CmdLusers  = "LUSERS"
+	CmdMode    = "MODE"
+	CmdMotd    = "MOTD"
+	CmdNames   = "NAMES"
+	CmdNick    = "NICK"
+	CmdNotice  = "NOTICE"
+	CmdOper    = "OPER"
+	CmdPart    = "PART"
+	CmdPing    = "PING"
+	CmdPong    = "PONG"
+	CmdPrivmsg = "PRIVMSG"
+	CmdQuit    = "QUIT"
+	CmdTopic   = "TOPIC"
+	CmdWho     = "WHO"
+	CmdWhois   = "WHOIS"
+)

pkg/irc/numerics.go

@@ -0,0 +1,393 @@
+// Package irc provides constants and utilities for the
+// IRC protocol, including numeric reply codes from
+// RFC 1459 and RFC 2812, and standard command names.
+package irc
+
+import (
+	"errors"
+	"fmt"
+)
+
+// IRCMessageType represents an IRC numeric reply or error code.
+type IRCMessageType int //nolint:revive // Name requested by project owner.
+
+// Name returns the standard IRC name for this numeric code
+// (e.g., IRCMessageType(252).Name() returns "RPL_LUSEROP").
+// Returns an empty string if the code is unknown.
+func (t IRCMessageType) Name() string {
+	return names[t]
+}
+
+// String returns the name and numeric code in angle brackets
+// (e.g., IRCMessageType(252).String() returns "RPL_LUSEROP <252>").
+// If the code is unknown, returns "UNKNOWN <NNN>".
+func (t IRCMessageType) String() string {
+	n := names[t]
+	if n == "" {
+		n = "UNKNOWN"
+	}
+
+	return fmt.Sprintf("%s <%03d>", n, int(t))
+}
+
+// Code returns the three-digit zero-padded string representation
+// of the numeric code (e.g., IRCMessageType(252).Code() returns "252").
+func (t IRCMessageType) Code() string {
+	return fmt.Sprintf("%03d", int(t))
+}
+
+// Int returns the bare integer value of the numeric code.
+func (t IRCMessageType) Int() int {
+	return int(t)
+}
+
+// ErrUnknownNumeric is returned by FromInt when the numeric code is not recognized.
+var ErrUnknownNumeric = errors.New("unknown IRC numeric code")
+
+// FromInt converts an integer to an IRCMessageType, returning an error
+// if the numeric code is not a known IRC reply or error code.
+func FromInt(n int) (IRCMessageType, error) {
+	t := IRCMessageType(n)
+	if _, ok := names[t]; !ok {
+		return 0, fmt.Errorf("%w: %d", ErrUnknownNumeric, n)
+	}
+
+	return t, nil
+}
+
+// Connection registration replies (001-005).
+const (
+	RplWelcome  IRCMessageType = 1
+	RplYourHost IRCMessageType = 2
+	RplCreated  IRCMessageType = 3
+	RplMyInfo   IRCMessageType = 4
+	RplBounce   IRCMessageType = 5 // RFC 2812; also known as RPL_ISUPPORT in practice
+	RplIsupport IRCMessageType = 5 // De-facto standard (same numeric as RplBounce)
+)
+
+// Command responses (200-399).
+const (
+	// RFC 2812 trace/stats/links replies (200-219).
+	RplTraceLink       IRCMessageType = 200
+	RplTraceConnecting IRCMessageType = 201
+	RplTraceHandshake  IRCMessageType = 202
+	RplTraceUnknown    IRCMessageType = 203
+	RplTraceOperator   IRCMessageType = 204
+	RplTraceUser       IRCMessageType = 205
+	RplTraceServer     IRCMessageType = 206
+	RplTraceService    IRCMessageType = 207
+	RplTraceNewType    IRCMessageType = 208
+	RplTraceClass      IRCMessageType = 209
+	RplStatsLinkInfo   IRCMessageType = 211
+	RplStatsCommands   IRCMessageType = 212
+	RplStatsCLine      IRCMessageType = 213
+	RplStatsNLine      IRCMessageType = 214
+	RplStatsILine      IRCMessageType = 215
+	RplStatsKLine      IRCMessageType = 216
+	RplStatsQLine      IRCMessageType = 217
+	RplStatsYLine      IRCMessageType = 218
+	RplEndOfStats      IRCMessageType = 219
+
+	RplUmodeIs      IRCMessageType = 221
+	RplServList     IRCMessageType = 234
+	RplServListEnd  IRCMessageType = 235
+	RplStatsLLine   IRCMessageType = 241
+	RplStatsUptime  IRCMessageType = 242
+	RplStatsOLine   IRCMessageType = 243
+	RplStatsHLine   IRCMessageType = 244
+	RplLuserClient  IRCMessageType = 251
+	RplLuserOp      IRCMessageType = 252
+	RplLuserUnknown IRCMessageType = 253
+
+	RplLuserChannels IRCMessageType = 254
+	RplLuserMe       IRCMessageType = 255
+	RplAdminMe       IRCMessageType = 256
+	RplAdminLoc1     IRCMessageType = 257
+	RplAdminLoc2     IRCMessageType = 258
+	RplAdminEmail    IRCMessageType = 259
+	RplTraceLog      IRCMessageType = 261
+	RplTraceEnd      IRCMessageType = 262
+	RplTryAgain      IRCMessageType = 263
+
+	RplAway          IRCMessageType = 301
+	RplUserHost      IRCMessageType = 302
+	RplIson          IRCMessageType = 303
+	RplUnaway        IRCMessageType = 305
+	RplNowAway       IRCMessageType = 306
+	RplWhoisUser     IRCMessageType = 311
+	RplWhoisServer   IRCMessageType = 312
+	RplWhoisOperator IRCMessageType = 313
+	RplWhoWasUser    IRCMessageType = 314
+	RplEndOfWho      IRCMessageType = 315
+	RplWhoisIdle     IRCMessageType = 317
+	RplEndOfWhois    IRCMessageType = 318
+	RplWhoisChannels IRCMessageType = 319
+	RplListStart     IRCMessageType = 321
+	RplList          IRCMessageType = 322
+	RplListEnd       IRCMessageType = 323
+	RplChannelModeIs IRCMessageType = 324
+
+	RplUniqOpIs        IRCMessageType = 325
+	RplCreationTime    IRCMessageType = 329
+	RplNoTopic         IRCMessageType = 331
+	RplTopic           IRCMessageType = 332
+	RplTopicWhoTime    IRCMessageType = 333
+	RplWhoisActually   IRCMessageType = 338
+	RplInviting        IRCMessageType = 341
+	RplSummoning       IRCMessageType = 342
+	RplInviteList      IRCMessageType = 346
+	RplEndOfInviteList IRCMessageType = 347
+	RplExceptList      IRCMessageType = 348
+	RplEndOfExceptList IRCMessageType = 349
+	RplVersion         IRCMessageType = 351
+	RplWhoReply        IRCMessageType = 352
+	RplNamReply        IRCMessageType = 353
+	RplLinks           IRCMessageType = 364
+	RplEndOfLinks      IRCMessageType = 365
+	RplEndOfNames      IRCMessageType = 366
+	RplBanList         IRCMessageType = 367
+	RplEndOfBanList    IRCMessageType = 368
+	RplEndOfWhowas     IRCMessageType = 369
+	RplInfo            IRCMessageType = 371
+	RplMotd            IRCMessageType = 372
+	RplEndOfInfo       IRCMessageType = 374
+	RplMotdStart       IRCMessageType = 375
+	RplEndOfMotd       IRCMessageType = 376
+	RplYoureOper       IRCMessageType = 381
+	RplRehashing       IRCMessageType = 382
+	RplYoureService    IRCMessageType = 383
+	RplTime            IRCMessageType = 391
+	RplUsersStart      IRCMessageType = 392
+	RplUsers           IRCMessageType = 393
+	RplEndOfUsers      IRCMessageType = 394
+	RplNoUsers         IRCMessageType = 395
+)
+
+// Error replies (400-599).
+const (
+	ErrNoSuchNick       IRCMessageType = 401
+	ErrNoSuchServer     IRCMessageType = 402
+	ErrNoSuchChannel    IRCMessageType = 403
+	ErrCannotSendToChan IRCMessageType = 404
+	ErrTooManyChannels  IRCMessageType = 405
+	ErrWasNoSuchNick    IRCMessageType = 406
+	ErrTooManyTargets   IRCMessageType = 407
+	ErrNoSuchService    IRCMessageType = 408
+	ErrNoOrigin         IRCMessageType = 409
+	ErrNoRecipient      IRCMessageType = 411
+	ErrNoTextToSend     IRCMessageType = 412
+	ErrNoTopLevel       IRCMessageType = 413
+	ErrWildTopLevel     IRCMessageType = 414
+	ErrBadMask          IRCMessageType = 415
+	ErrUnknownCommand   IRCMessageType = 421
+	ErrNoMotd           IRCMessageType = 422
+	ErrNoAdminInfo      IRCMessageType = 423
+	ErrFileError        IRCMessageType = 424
+	ErrNoNicknameGiven  IRCMessageType = 431
+	ErrErroneusNickname IRCMessageType = 432
+	ErrNicknameInUse    IRCMessageType = 433
+	ErrNickCollision    IRCMessageType = 436
+	ErrUnavailResource  IRCMessageType = 437
+
+	ErrUserNotInChannel  IRCMessageType = 441
+	ErrNotOnChannel      IRCMessageType = 442
+	ErrUserOnChannel     IRCMessageType = 443
+	ErrNoLogin           IRCMessageType = 444
+	ErrSummonDisabled    IRCMessageType = 445
+	ErrUsersDisabled     IRCMessageType = 446
+	ErrNotRegistered     IRCMessageType = 451
+	ErrNeedMoreParams    IRCMessageType = 461
+	ErrAlreadyRegistered IRCMessageType = 462
+	ErrNoPermForHost     IRCMessageType = 463
+	ErrPasswdMismatch    IRCMessageType = 464
+	ErrYoureBannedCreep  IRCMessageType = 465
+	ErrYouWillBeBanned   IRCMessageType = 466
+	ErrKeySet            IRCMessageType = 467
+	ErrChannelIsFull     IRCMessageType = 471
+	ErrUnknownMode       IRCMessageType = 472
+	ErrInviteOnlyChan    IRCMessageType = 473
+	ErrBannedFromChan    IRCMessageType = 474
+	ErrBadChannelKey     IRCMessageType = 475
+	ErrBadChanMask       IRCMessageType = 476
+	ErrNoChanModes       IRCMessageType = 477
+	ErrBanListFull       IRCMessageType = 478
+	ErrNoPrivileges      IRCMessageType = 481
+	ErrChanOpPrivsNeeded IRCMessageType = 482
+	ErrCantKillServer    IRCMessageType = 483
+	ErrRestricted        IRCMessageType = 484
+	ErrUniqOpPrivsNeeded IRCMessageType = 485
+	ErrNoOperHost        IRCMessageType = 491
+
+	ErrUmodeUnknownFlag IRCMessageType = 501
+	ErrUsersDoNotMatch  IRCMessageType = 502
+)
+
+// names maps numeric codes to their standard IRC names.
+//
+//nolint:gochecknoglobals
+var names = map[IRCMessageType]string{
+	RplWelcome:  "RPL_WELCOME",
+	RplYourHost: "RPL_YOURHOST",
+	RplCreated:  "RPL_CREATED",
+	RplMyInfo:   "RPL_MYINFO",
+	RplBounce:   "RPL_BOUNCE",
+
+	RplTraceLink:       "RPL_TRACELINK",
+	RplTraceConnecting: "RPL_TRACECONNECTING",
+	RplTraceHandshake:  "RPL_TRACEHANDSHAKE",
+	RplTraceUnknown:    "RPL_TRACEUNKNOWN",
+	RplTraceOperator:   "RPL_TRACEOPERATOR",
+	RplTraceUser:       "RPL_TRACEUSER",
+	RplTraceServer:     "RPL_TRACESERVER",
+	RplTraceService:    "RPL_TRACESERVICE",
+	RplTraceNewType:    "RPL_TRACENEWTYPE",
+	RplTraceClass:      "RPL_TRACECLASS",
+	RplStatsLinkInfo:   "RPL_STATSLINKINFO",
+	RplStatsCommands:   "RPL_STATSCOMMANDS",
+	RplStatsCLine:      "RPL_STATSCLINE",
+	RplStatsNLine:      "RPL_STATSNLINE",
+	RplStatsILine:      "RPL_STATSILINE",
+	RplStatsKLine:      "RPL_STATSKLINE",
+	RplStatsQLine:      "RPL_STATSQLINE",
+	RplStatsYLine:      "RPL_STATSYLINE",
+	RplEndOfStats:      "RPL_ENDOFSTATS",
+
+	RplUmodeIs:      "RPL_UMODEIS",
+	RplServList:     "RPL_SERVLIST",
+	RplServListEnd:  "RPL_SERVLISTEND",
+	RplStatsLLine:   "RPL_STATSLLINE",
+	RplStatsUptime:  "RPL_STATSUPTIME",
+	RplStatsOLine:   "RPL_STATSOLINE",
+	RplStatsHLine:   "RPL_STATSHLINE",
+	RplLuserClient:  "RPL_LUSERCLIENT",
+	RplLuserOp:      "RPL_LUSEROP",
+	RplLuserUnknown: "RPL_LUSERUNKNOWN",
+
+	RplLuserChannels: "RPL_LUSERCHANNELS",
+	RplLuserMe:       "RPL_LUSERME",
+	RplAdminMe:       "RPL_ADMINME",
+	RplAdminLoc1:     "RPL_ADMINLOC1",
+	RplAdminLoc2:     "RPL_ADMINLOC2",
+	RplAdminEmail:    "RPL_ADMINEMAIL",
+	RplTraceLog:      "RPL_TRACELOG",
+	RplTraceEnd:      "RPL_TRACEEND",
+	RplTryAgain:      "RPL_TRYAGAIN",
+
+	RplAway:          "RPL_AWAY",
+	RplUserHost:      "RPL_USERHOST",
+	RplIson:          "RPL_ISON",
+	RplUnaway:        "RPL_UNAWAY",
+	RplNowAway:       "RPL_NOWAWAY",
+	RplWhoisUser:     "RPL_WHOISUSER",
+	RplWhoisServer:   "RPL_WHOISSERVER",
+	RplWhoisOperator: "RPL_WHOISOPERATOR",
+	RplWhoWasUser:    "RPL_WHOWASUSER",
+	RplEndOfWho:      "RPL_ENDOFWHO",
+	RplWhoisIdle:     "RPL_WHOISIDLE",
+	RplEndOfWhois:    "RPL_ENDOFWHOIS",
+	RplWhoisChannels: "RPL_WHOISCHANNELS",
+	RplListStart:     "RPL_LISTSTART",
+	RplList:          "RPL_LIST",
+	RplListEnd:       "RPL_LISTEND", //nolint:misspell
+	RplChannelModeIs: "RPL_CHANNELMODEIS",
+
+	RplUniqOpIs:        "RPL_UNIQOPIS",
+	RplCreationTime:    "RPL_CREATIONTIME",
+	RplNoTopic:         "RPL_NOTOPIC",
+	RplTopic:           "RPL_TOPIC",
+	RplTopicWhoTime:    "RPL_TOPICWHOTIME",
+	RplWhoisActually:   "RPL_WHOISACTUALLY",
+	RplInviting:        "RPL_INVITING",
+	RplSummoning:       "RPL_SUMMONING",
+	RplInviteList:      "RPL_INVITELIST",
+	RplEndOfInviteList: "RPL_ENDOFINVITELIST",
+	RplExceptList:      "RPL_EXCEPTLIST",
+	RplEndOfExceptList: "RPL_ENDOFEXCEPTLIST",
+	RplVersion:         "RPL_VERSION",
+	RplWhoReply:        "RPL_WHOREPLY",
+	RplNamReply:        "RPL_NAMREPLY",
+	RplLinks:           "RPL_LINKS",
+	RplEndOfLinks:      "RPL_ENDOFLINKS",
+	RplEndOfNames:      "RPL_ENDOFNAMES",
+	RplBanList:         "RPL_BANLIST",
+	RplEndOfBanList:    "RPL_ENDOFBANLIST",
+	RplEndOfWhowas:     "RPL_ENDOFWHOWAS",
+	RplInfo:            "RPL_INFO",
+	RplMotd:            "RPL_MOTD",
+	RplEndOfInfo:       "RPL_ENDOFINFO",
+	RplMotdStart:       "RPL_MOTDSTART",
+	RplEndOfMotd:       "RPL_ENDOFMOTD",
+	RplYoureOper:       "RPL_YOUREOPER",
+	RplRehashing:       "RPL_REHASHING",
+	RplYoureService:    "RPL_YOURESERVICE",
+	RplTime:            "RPL_TIME",
+	RplUsersStart:      "RPL_USERSSTART",
+	RplUsers:           "RPL_USERS",
+	RplEndOfUsers:      "RPL_ENDOFUSERS",
+	RplNoUsers:         "RPL_NOUSERS",
+
+	ErrNoSuchNick:       "ERR_NOSUCHNICK",
+	ErrNoSuchServer:     "ERR_NOSUCHSERVER",
+	ErrNoSuchChannel:    "ERR_NOSUCHCHANNEL",
+	ErrCannotSendToChan: "ERR_CANNOTSENDTOCHAN",
+	ErrTooManyChannels:  "ERR_TOOMANYCHANNELS",
+	ErrWasNoSuchNick:    "ERR_WASNOSUCHNICK",
+	ErrTooManyTargets:   "ERR_TOOMANYTARGETS",
+	ErrNoSuchService:    "ERR_NOSUCHSERVICE",
+	ErrNoOrigin:         "ERR_NOORIGIN",
+	ErrNoRecipient:      "ERR_NORECIPIENT",
+	ErrNoTextToSend:     "ERR_NOTEXTTOSEND",
+	ErrNoTopLevel:       "ERR_NOTOPLEVEL",
+	ErrWildTopLevel:     "ERR_WILDTOPLEVEL",
+	ErrBadMask:          "ERR_BADMASK",
+	ErrUnknownCommand:   "ERR_UNKNOWNCOMMAND",
+	ErrNoMotd:           "ERR_NOMOTD",
+	ErrNoAdminInfo:      "ERR_NOADMININFO",
+	ErrFileError:        "ERR_FILEERROR",
+	ErrNoNicknameGiven:  "ERR_NONICKNAMEGIVEN",
+	ErrErroneusNickname: "ERR_ERRONEUSNICKNAME",
+	ErrNicknameInUse:    "ERR_NICKNAMEINUSE",
+	ErrNickCollision:    "ERR_NICKCOLLISION",
+	ErrUnavailResource:  "ERR_UNAVAILRESOURCE",
+
+	ErrUserNotInChannel:  "ERR_USERNOTINCHANNEL",
+	ErrNotOnChannel:      "ERR_NOTONCHANNEL",
+	ErrUserOnChannel:     "ERR_USERONCHANNEL",
+	ErrNoLogin:           "ERR_NOLOGIN",
+	ErrSummonDisabled:    "ERR_SUMMONDISABLED",
+	ErrUsersDisabled:     "ERR_USERSDISABLED",
+	ErrNotRegistered:     "ERR_NOTREGISTERED",
+	ErrNeedMoreParams:    "ERR_NEEDMOREPARAMS",
+	ErrAlreadyRegistered: "ERR_ALREADYREGISTERED",
+	ErrNoPermForHost:     "ERR_NOPERMFORHOST",
+	ErrPasswdMismatch:    "ERR_PASSWDMISMATCH",
+	ErrYoureBannedCreep:  "ERR_YOUREBANNEDCREEP",
+	ErrYouWillBeBanned:   "ERR_YOUWILLBEBANNED",
+	ErrKeySet:            "ERR_KEYSET",
+	ErrChannelIsFull:     "ERR_CHANNELISFULL",
+	ErrUnknownMode:       "ERR_UNKNOWNMODE",
+	ErrInviteOnlyChan:    "ERR_INVITEONLYCHAN",
+	ErrBannedFromChan:    "ERR_BANNEDFROMCHAN",
+	ErrBadChannelKey:     "ERR_BADCHANNELKEY",
+	ErrBadChanMask:       "ERR_BADCHANMASK",
+	ErrNoChanModes:       "ERR_NOCHANMODES",
+	ErrBanListFull:       "ERR_BANLISTFULL",
+	ErrNoPrivileges:      "ERR_NOPRIVILEGES",
+	ErrChanOpPrivsNeeded: "ERR_CHANOPRIVSNEEDED",
+	ErrCantKillServer:    "ERR_CANTKILLSERVER",
+	ErrRestricted:        "ERR_RESTRICTED",
+	ErrUniqOpPrivsNeeded: "ERR_UNIQOPPRIVSNEEDED",
+	ErrNoOperHost:        "ERR_NOOPERHOST",
+
+	ErrUmodeUnknownFlag: "ERR_UMODEUNKNOWNFLAG",
+	ErrUsersDoNotMatch:  "ERR_USERSDONTMATCH",
+}
+
+// Name returns the standard IRC name for a numeric code
+// (e.g., Name(2) returns "RPL_YOURHOST"). Returns an
+// empty string if the code is unknown.
+//
+// Deprecated: Use IRCMessageType.Name() instead.
+func Name(code IRCMessageType) string {
+	return names[code]
+}

pkg/irc/numerics_test.go

@@ -0,0 +1,163 @@
+package irc_test
+
+import (
+	"errors"
+	"testing"
+
+	"git.eeqj.de/sneak/neoirc/pkg/irc"
+)
+
+func TestName(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		numeric irc.IRCMessageType
+		want    string
+	}{
+		{irc.RplWelcome, "RPL_WELCOME"},
+		{irc.RplBounce, "RPL_BOUNCE"},
+		{irc.RplLuserOp, "RPL_LUSEROP"},
+		{irc.ErrCannotSendToChan, "ERR_CANNOTSENDTOCHAN"},
+		{irc.ErrNicknameInUse, "ERR_NICKNAMEINUSE"},
+	}
+
+	for _, tc := range tests {
+		if got := tc.numeric.Name(); got != tc.want {
+			t.Errorf("IRCMessageType(%d).Name() = %q, want %q", tc.numeric.Int(), got, tc.want)
+		}
+	}
+}
+
+func TestString(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		numeric irc.IRCMessageType
+		want    string
+	}{
+		{irc.RplWelcome, "RPL_WELCOME <001>"},
+		{irc.RplBounce, "RPL_BOUNCE <005>"},
+		{irc.RplLuserOp, "RPL_LUSEROP <252>"},
+		{irc.ErrCannotSendToChan, "ERR_CANNOTSENDTOCHAN <404>"},
+	}
+
+	for _, tc := range tests {
+		if got := tc.numeric.String(); got != tc.want {
+			t.Errorf("IRCMessageType(%d).String() = %q, want %q", tc.numeric.Int(), got, tc.want)
+		}
+	}
+}
+
+func TestCode(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		numeric irc.IRCMessageType
+		want    string
+	}{
+		{irc.RplWelcome, "001"},
+		{irc.RplBounce, "005"},
+		{irc.RplLuserOp, "252"},
+		{irc.ErrCannotSendToChan, "404"},
+	}
+
+	for _, tc := range tests {
+		if got := tc.numeric.Code(); got != tc.want {
+			t.Errorf("IRCMessageType(%d).Code() = %q, want %q", tc.numeric.Int(), got, tc.want)
+		}
+	}
+}
+
+func TestInt(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		numeric irc.IRCMessageType
+		want    int
+	}{
+		{irc.RplWelcome, 1},
+		{irc.RplBounce, 5},
+		{irc.RplLuserOp, 252},
+		{irc.ErrCannotSendToChan, 404},
+	}
+
+	for _, tc := range tests {
+		if got := tc.numeric.Int(); got != tc.want {
+			t.Errorf("IRCMessageType(%d).Int() = %d, want %d", tc.want, got, tc.want)
+		}
+	}
+}
+
+func TestFromInt_Known(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		code int
+		want irc.IRCMessageType
+	}{
+		{1, irc.RplWelcome},
+		{5, irc.RplBounce},
+		{252, irc.RplLuserOp},
+		{404, irc.ErrCannotSendToChan},
+		{433, irc.ErrNicknameInUse},
+	}
+
+	for _, test := range tests {
+		got, err := irc.FromInt(test.code)
+		if err != nil {
+			t.Errorf("FromInt(%d) returned unexpected error: %v", test.code, err)
+
+			continue
+		}
+
+		if got != test.want {
+			t.Errorf("FromInt(%d) = %v, want %v", test.code, got, test.want)
+		}
+	}
+}
+
+func TestFromInt_Unknown(t *testing.T) {
+	t.Parallel()
+
+	unknowns := []int{0, 999, 600, -1}
+	for _, code := range unknowns {
+		_, err := irc.FromInt(code)
+		if err == nil {
+			t.Errorf("FromInt(%d) expected error, got nil", code)
+
+			continue
+		}
+
+		if !errors.Is(err, irc.ErrUnknownNumeric) {
+			t.Errorf("FromInt(%d) error = %v, want ErrUnknownNumeric", code, err)
+		}
+	}
+}
+
+func TestUnknownNumeric_Name(t *testing.T) {
+	t.Parallel()
+
+	unknown := irc.IRCMessageType(999)
+	if got := unknown.Name(); got != "" {
+		t.Errorf("IRCMessageType(999).Name() = %q, want empty string", got)
+	}
+}
+
+func TestUnknownNumeric_String(t *testing.T) {
+	t.Parallel()
+
+	unknown := irc.IRCMessageType(999)
+	want := "UNKNOWN <999>"
+
+	if got := unknown.String(); got != want {
+		t.Errorf("IRCMessageType(999).String() = %q, want %q", got, want)
+	}
+}
+
+func TestDeprecatedNameFunc(t *testing.T) {
+	t.Parallel()
+
+	if got := irc.Name(irc.RplYourHost); got != "RPL_YOURHOST" {
+		t.Errorf("Name(RplYourHost) = %q, want %q", got, "RPL_YOURHOST")
+	}
+}

web/dist/index.html

@@ -1,13 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>NeoIRC</title>
-  <link rel="stylesheet" href="/style.css">
-</head>
-<body>
-  <div id="root"></div>
-  <script type="module" src="/app.js"></script>
-</body>
-</html>

web/dist/style.css

@@ -1,466 +0,0 @@
-* {
-  margin: 0;
-  padding: 0;
-  box-sizing: border-box;
-}
-
-:root {
-  --bg: #0a0e14;
-  --bg-panel: #0d1117;
-  --bg-input: #0d1117;
-  --bg-tab: #161b22;
-  --bg-tab-active: #0d1117;
-  --bg-topic: #0d1117;
-  --text: #c9d1d9;
-  --text-dim: #6e7681;
-  --text-bright: #e6edf3;
-  --accent: #58a6ff;
-  --accent-dim: #1f6feb;
-  --border: #21262d;
-  --system: #7d8590;
-  --action: #d2a8ff;
-  --warn: #d29922;
-  --error: #f85149;
-  --unread: #f0883e;
-  --nick-brackets: #6e7681;
-  --timestamp: #484f58;
-  --input-bg: #161b22;
-  --prompt: #3fb950;
-  --tab-indicator: #58a6ff;
-  --user-list-bg: #0d1117;
-  --user-list-header: #484f58;
-}
-
-html,
-body,
-#root {
-  height: 100%;
-  font-family: "JetBrains Mono", "Cascadia Code", "Fira Code", "SF Mono",
-    "Consolas", "Liberation Mono", "Courier New", monospace;
-  font-size: 13px;
-  background: var(--bg);
-  color: var(--text);
-  overflow: hidden;
-}
-
-/* ============================================
-   Login Screen
-   ============================================ */
-
-.login-screen {
-  display: flex;
-  align-items: center;
-  justify-content: center;
-  height: 100%;
-  background: var(--bg);
-}
-
-.login-box {
-  text-align: center;
-  max-width: 360px;
-  width: 100%;
-  padding: 32px;
-}
-
-.login-box h1 {
-  color: var(--accent);
-  font-size: 1.8em;
-  margin-bottom: 16px;
-  font-weight: 400;
-}
-
-.login-box .motd {
-  color: var(--text-dim);
-  font-size: 12px;
-  margin-bottom: 20px;
-  text-align: left;
-  white-space: pre-wrap;
-  font-family: inherit;
-  border-left: 2px solid var(--border);
-  padding-left: 12px;
-}
-
-.login-box form {
-  display: flex;
-  flex-direction: column;
-  gap: 8px;
-  align-items: stretch;
-}
-
-.login-box label {
-  color: var(--text-dim);
-  text-align: left;
-  font-size: 12px;
-}
-
-.login-box input {
-  padding: 8px 12px;
-  font-family: inherit;
-  font-size: 14px;
-  background: var(--input-bg);
-  border: 1px solid var(--border);
-  color: var(--text-bright);
-  border-radius: 3px;
-  outline: none;
-}
-
-.login-box input:focus {
-  border-color: var(--accent-dim);
-}
-
-.login-box button {
-  padding: 8px 16px;
-  font-family: inherit;
-  font-size: 14px;
-  background: var(--accent-dim);
-  border: none;
-  color: var(--text-bright);
-  border-radius: 3px;
-  cursor: pointer;
-  margin-top: 4px;
-}
-
-.login-box button:hover {
-  background: var(--accent);
-}
-
-.login-box .error {
-  color: var(--error);
-  font-size: 12px;
-  margin-top: 8px;
-}
-
-/* ============================================
-   IRC App Layout
-   ============================================ */
-
-.irc-app {
-  display: flex;
-  flex-direction: column;
-  height: 100%;
-  overflow: hidden;
-}
-
-/* ============================================
-   Tab Bar
-   ============================================ */
-
-.tab-bar {
-  display: flex;
-  background: var(--bg-tab);
-  border-bottom: 1px solid var(--border);
-  flex-shrink: 0;
-  height: 32px;
-  align-items: stretch;
-}
-
-.tabs {
-  display: flex;
-  overflow-x: auto;
-  flex: 1;
-  scrollbar-width: none;
-}
-
-.tabs::-webkit-scrollbar {
-  display: none;
-}
-
-.tab {
-  display: flex;
-  align-items: center;
-  padding: 0 12px;
-  cursor: pointer;
-  color: var(--text-dim);
-  white-space: nowrap;
-  user-select: none;
-  border-right: 1px solid var(--border);
-  font-size: 12px;
-  gap: 4px;
-  position: relative;
-}
-
-.tab:hover {
-  color: var(--text);
-  background: rgba(255, 255, 255, 0.03);
-}
-
-.tab.active {
-  color: var(--text-bright);
-  background: var(--bg-tab-active);
-  border-bottom: 2px solid var(--tab-indicator);
-  margin-bottom: -1px;
-}
-
-.tab.has-unread .tab-label {
-  color: var(--unread);
-  font-weight: bold;
-}
-
-.tab .unread-count {
-  color: var(--unread);
-  font-size: 11px;
-  font-weight: bold;
-}
-
-.tab-close {
-  color: var(--text-dim);
-  font-size: 14px;
-  line-height: 1;
-  margin-left: 2px;
-}
-
-.tab-close:hover {
-  color: var(--error);
-}
-
-.status-area {
-  display: flex;
-  align-items: center;
-  gap: 10px;
-  padding: 0 12px;
-  flex-shrink: 0;
-  font-size: 12px;
-}
-
-.status-nick {
-  color: var(--accent);
-  font-weight: bold;
-}
-
-.status-warn {
-  color: var(--warn);
-  animation: blink 1.5s ease-in-out infinite;
-}
-
-@keyframes blink {
-  0%,
-  100% {
-    opacity: 1;
-  }
-  50% {
-    opacity: 0.4;
-  }
-}
-
-/* ============================================
-   Topic Bar
-   ============================================ */
-
-.topic-bar {
-  padding: 4px 12px;
-  background: var(--bg-topic);
-  border-bottom: 1px solid var(--border);
-  font-size: 12px;
-  white-space: nowrap;
-  overflow: hidden;
-  text-overflow: ellipsis;
-  flex-shrink: 0;
-  line-height: 1.5;
-}
-
-.topic-label {
-  color: var(--text-dim);
-}
-
-.topic-text {
-  color: var(--text);
-}
-
-/* ============================================
-   Main Content Area
-   ============================================ */
-
-.main-area {
-  display: flex;
-  flex: 1;
-  overflow: hidden;
-  min-height: 0;
-}
-
-/* ============================================
-   Messages Panel
-   ============================================ */
-
-.messages-panel {
-  flex: 1;
-  display: flex;
-  flex-direction: column;
-  overflow: hidden;
-  min-width: 0;
-}
-
-.messages-scroll {
-  flex: 1;
-  overflow-y: auto;
-  padding: 4px 8px;
-  scrollbar-width: thin;
-  scrollbar-color: var(--border) transparent;
-}
-
-.messages-scroll::-webkit-scrollbar {
-  width: 8px;
-}
-
-.messages-scroll::-webkit-scrollbar-track {
-  background: transparent;
-}
-
-.messages-scroll::-webkit-scrollbar-thumb {
-  background: var(--border);
-  border-radius: 4px;
-}
-
-/* ============================================
-   Message Lines
-   ============================================ */
-
-.message {
-  padding: 1px 0;
-  line-height: 1.4;
-  white-space: pre-wrap;
-  word-wrap: break-word;
-  font-size: 13px;
-}
-
-.message .timestamp {
-  color: var(--timestamp);
-  font-size: 12px;
-}
-
-.message .nick {
-  font-weight: bold;
-}
-
-.message .content {
-  color: var(--text);
-}
-
-/* System messages (joins, parts, quits, etc.) */
-.system-message {
-  color: var(--system);
-}
-
-.system-message .system-text {
-  color: var(--system);
-}
-
-/* /me action messages */
-.action-message .action-text {
-  color: var(--action);
-}
-
-/* ============================================
-   User List (Right Panel)
-   ============================================ */
-
-.user-list {
-  width: 160px;
-  background: var(--user-list-bg);
-  border-left: 1px solid var(--border);
-  display: flex;
-  flex-direction: column;
-  flex-shrink: 0;
-  overflow: hidden;
-}
-
-.user-list-header {
-  padding: 6px 10px;
-  color: var(--user-list-header);
-  font-size: 11px;
-  text-transform: uppercase;
-  letter-spacing: 0.5px;
-  border-bottom: 1px solid var(--border);
-  flex-shrink: 0;
-}
-
-.user-list-entries {
-  overflow-y: auto;
-  padding: 4px 0;
-  flex: 1;
-  scrollbar-width: thin;
-  scrollbar-color: var(--border) transparent;
-}
-
-.nick-entry {
-  padding: 2px 10px;
-  font-size: 12px;
-  cursor: pointer;
-  white-space: nowrap;
-  overflow: hidden;
-  text-overflow: ellipsis;
-  line-height: 1.5;
-}
-
-.nick-entry:hover {
-  background: rgba(255, 255, 255, 0.04);
-}
-
-.nick-prefix {
-  color: var(--text-dim);
-  display: inline-block;
-  width: 1ch;
-  text-align: right;
-  margin-right: 1px;
-}
-
-.nick-name {
-  font-weight: normal;
-}
-
-/* ============================================
-   Input Line (Bottom)
-   ============================================ */
-
-.input-line {
-  display: flex;
-  align-items: center;
-  background: var(--input-bg);
-  border-top: 1px solid var(--border);
-  flex-shrink: 0;
-  height: 36px;
-  padding: 0 8px;
-  gap: 6px;
-}
-
-.input-prompt {
-  color: var(--prompt);
-  font-size: 13px;
-  flex-shrink: 0;
-  white-space: nowrap;
-}
-
-.input-line input {
-  flex: 1;
-  padding: 4px 0;
-  font-family: inherit;
-  font-size: 13px;
-  background: transparent;
-  border: none;
-  color: var(--text-bright);
-  outline: none;
-  caret-color: var(--accent);
-}
-
-.input-line input::placeholder {
-  color: var(--text-dim);
-  font-style: italic;
-}
-
-/* ============================================
-   Responsive
-   ============================================ */
-
-@media (max-width: 600px) {
-  .user-list {
-    display: none;
-  }
-
-  .tab {
-    padding: 0 8px;
-    font-size: 11px;
-  }
-
-  .input-prompt {
-    font-size: 12px;
-  }
-}

web/src/app.jsx

@@ -8,6 +8,56 @@ const MEMBER_REFRESH_INTERVAL = 10000;
 const ACTION_PREFIX = "\x01ACTION ";
 const ACTION_SUFFIX = "\x01";
 
+// Hashcash proof-of-work helpers using Web Crypto API.
+
+function checkLeadingZeros(hashBytes, bits) {
+  let count = 0;
+  for (let i = 0; i < hashBytes.length; i++) {
+    if (hashBytes[i] === 0) {
+      count += 8;
+      continue;
+    }
+    let b = hashBytes[i];
+    while ((b & 0x80) === 0) {
+      count++;
+      b <<= 1;
+    }
+    break;
+  }
+  return count >= bits;
+}
+
+async function mintHashcash(bits, resource) {
+  const encoder = new TextEncoder();
+  const now = new Date();
+  const date =
+    String(now.getUTCFullYear()).slice(2) +
+    String(now.getUTCMonth() + 1).padStart(2, "0") +
+    String(now.getUTCDate()).padStart(2, "0");
+  const prefix = `1:${bits}:${date}:${resource}::`;
+  let nonce = Math.floor(Math.random() * 0x100000);
+  const batchSize = 1024;
+
+  for (;;) {
+    const stamps = [];
+    const hashPromises = [];
+    for (let i = 0; i < batchSize; i++) {
+      const stamp = prefix + (nonce + i).toString(16);
+      stamps.push(stamp);
+      hashPromises.push(
+        crypto.subtle.digest("SHA-256", encoder.encode(stamp)),
+      );
+    }
+    const hashes = await Promise.all(hashPromises);
+    for (let i = 0; i < hashes.length; i++) {
+      if (checkLeadingZeros(new Uint8Array(hashes[i]), bits)) {
+        return stamps[i];
+      }
+    }
+    nonce += batchSize;
+  }
+}
+
 function api(path, opts = {}) {
   const token = localStorage.getItem("neoirc_token");
   const headers = {
@@ -60,18 +110,22 @@ function LoginScreen({ onLogin }) {
   const [motd, setMotd] = useState("");
   const [serverName, setServerName] = useState("NeoIRC");
   const inputRef = useRef();
+  const hashcashBitsRef = useRef(0);
+  const hashcashResourceRef = useRef("neoirc");
 
   useEffect(() => {
     api("/server")
       .then((s) => {
         if (s.name) setServerName(s.name);
         if (s.motd) setMotd(s.motd);
+        hashcashBitsRef.current = s.hashcash_bits || 0;
+        if (s.name) hashcashResourceRef.current = s.name;
       })
       .catch(() => {});
     const saved = localStorage.getItem("neoirc_token");
     if (saved) {
-      api("/state")
+      api("/state?initChannelState=1")
-        .then((u) => onLogin(u.nick))
+        .then((u) => onLogin(u.nick, true))
         .catch(() => localStorage.removeItem("neoirc_token"));
     }
     inputRef.current?.focus();
@@ -81,9 +135,22 @@ function LoginScreen({ onLogin }) {
     e.preventDefault();
     setError("");
     try {
+      let hashcashStamp = "";
+      if (hashcashBitsRef.current > 0) {
+        setError("Computing proof-of-work...");
+        hashcashStamp = await mintHashcash(
+          hashcashBitsRef.current,
+          hashcashResourceRef.current,
+        );
+        setError("");
+      }
+      const reqBody = { nick: nick.trim() };
+      if (hashcashStamp) {
+        reqBody.pow_token = hashcashStamp;
+      }
       const res = await api("/session", {
         method: "POST",
-        body: JSON.stringify({ nick: nick.trim() }),
+        body: JSON.stringify(reqBody),
       });
       localStorage.setItem("neoirc_token", res.token);
       onLogin(res.nick);
@@ -333,7 +400,24 @@ function App() {
         case "JOIN": {
           const text = `${msg.from} has joined ${msg.to}`;
           if (msg.to) addMessage(msg.to, { ...base, text, system: true });
-          if (msg.to && msg.to.startsWith("#")) refreshMembers(msg.to);
+          if (msg.to && msg.to.startsWith("#")) {
+            // Create a tab when the current user joins a channel
+            // (including JOINs from initChannelState on reconnect).
+            if (msg.from === nickRef.current) {
+              setTabs((prev) => {
+                if (
+                  prev.find(
+                    (t) => t.type === "channel" && t.name === msg.to,
+                  )
+                )
+                  return prev;
+
+                return [...prev, { type: "channel", name: msg.to }];
+              });
+            }
+
+            refreshMembers(msg.to);
+          }
 
           break;
         }
@@ -419,6 +503,100 @@ function App() {
 
           break;
         }
+        case "322": {
+          // RPL_LIST — channel, member count, topic.
+          if (Array.isArray(msg.params) && msg.params.length >= 2) {
+            const chName = msg.params[0];
+            const count = msg.params[1];
+            const chTopic = body || "";
+            addMessage("Server", {
+              ...base,
+              text: `${chName} (${count} users): ${chTopic.trim()}`,
+              system: true,
+            });
+          }
+
+          break;
+        }
+        case "323":
+          addMessage("Server", {
+            ...base,
+            text: body || "End of channel list",
+            system: true,
+          });
+
+          break;
+        case "352": {
+          // RPL_WHOREPLY — channel, user, host, server, nick, flags.
+          if (Array.isArray(msg.params) && msg.params.length >= 5) {
+            const whoCh = msg.params[0];
+            const whoNick = msg.params[4];
+            const whoFlags = msg.params.length > 5 ? msg.params[5] : "";
+            addMessage("Server", {
+              ...base,
+              text: `${whoCh} ${whoNick} ${whoFlags}`,
+              system: true,
+            });
+          }
+
+          break;
+        }
+        case "315":
+          addMessage("Server", {
+            ...base,
+            text: body || "End of /WHO list",
+            system: true,
+          });
+
+          break;
+        case "311": {
+          // RPL_WHOISUSER — nick, user, host, *, realname.
+          if (Array.isArray(msg.params) && msg.params.length >= 1) {
+            const wiNick = msg.params[0];
+            addMessage("Server", {
+              ...base,
+              text: `${wiNick} (${body})`,
+              system: true,
+            });
+          }
+
+          break;
+        }
+        case "312": {
+          // RPL_WHOISSERVER — nick, server, server info.
+          if (Array.isArray(msg.params) && msg.params.length >= 2) {
+            const wiNick = msg.params[0];
+            const wiServer = msg.params[1];
+            addMessage("Server", {
+              ...base,
+              text: `${wiNick} on ${wiServer}`,
+              system: true,
+            });
+          }
+
+          break;
+        }
+        case "319": {
+          // RPL_WHOISCHANNELS — nick, channels.
+          if (Array.isArray(msg.params) && msg.params.length >= 1) {
+            const wiNick = msg.params[0];
+            addMessage("Server", {
+              ...base,
+              text: `${wiNick} is on: ${body}`,
+              system: true,
+            });
+          }
+
+          break;
+        }
+        case "318":
+          addMessage("Server", {
+            ...base,
+            text: body || "End of /WHOIS list",
+            system: true,
+          });
+
+          break;
         case "375":
         case "372":
         case "376":
@@ -497,6 +675,31 @@ function App() {
     inputRef.current?.focus();
   }, [activeTab]);
 
+  // Global keyboard handler — capture '/' to prevent
+  // Firefox quick search and redirect focus to the input.
+  useEffect(() => {
+    const handleGlobalKeyDown = (e) => {
+      if (
+        e.key === "/" &&
+        document.activeElement !== inputRef.current &&
+        !e.ctrlKey &&
+        !e.altKey &&
+        !e.metaKey
+      ) {
+        e.preventDefault();
+        inputRef.current?.focus();
+      }
+    };
+
+    document.addEventListener("keydown", handleGlobalKeyDown);
+
+    // Also focus input on initial mount.
+    inputRef.current?.focus();
+
+    return () =>
+      document.removeEventListener("keydown", handleGlobalKeyDown);
+  }, []);
+
   // Fetch topic for active channel.
   useEffect(() => {
     if (!loggedIn) return;
@@ -512,10 +715,31 @@ function App() {
   }, [loggedIn, activeTab, tabs]);
 
   const onLogin = useCallback(
-    async (userNick) => {
+    async (userNick, isResumed) => {
       setNick(userNick);
       setLoggedIn(true);
       addSystemMessage("Server", `Connected as ${userNick}`);
+
+      if (isResumed) {
+        // Request MOTD on resumed sessions (new sessions
+        // get it automatically from the server during
+        // creation).  Channel state is initialized by the
+        // server via the message queue
+        // (?initChannelState=1), so we do not need to
+        // re-JOIN channels here.
+        try {
+          await api("/messages", {
+            method: "POST",
+            body: JSON.stringify({ command: "MOTD" }),
+          });
+        } catch (e) {
+          // MOTD is non-critical.
+        }
+
+        return;
+      }
+
+      // Fresh session — join any previously saved channels.
       const saved = JSON.parse(
         localStorage.getItem("neoirc_channels") || "[]",
       );
@@ -791,16 +1015,125 @@ function App() {
 
         break;
       }
+      case "/motd": {
+        try {
+          await api("/messages", {
+            method: "POST",
+            body: JSON.stringify({ command: "MOTD" }),
+          });
+        } catch (err) {
+          addSystemMessage(
+            "Server",
+            `Failed to request MOTD: ${err.data?.error || "error"}`,
+          );
+        }
+
+        break;
+      }
+      case "/query": {
+        if (parts[1]) {
+          const target = parts[1];
+          openDM(target);
+          const msgText = parts.slice(2).join(" ");
+          if (msgText) {
+            try {
+              await api("/messages", {
+                method: "POST",
+                body: JSON.stringify({
+                  command: "PRIVMSG",
+                  to: target,
+                  body: [msgText],
+                }),
+              });
+            } catch (err) {
+              addSystemMessage(
+                "Server",
+                `Message failed: ${err.data?.error || "error"}`,
+              );
+            }
+          }
+        } else {
+          addSystemMessage("Server", "Usage: /query <nick> [message]");
+        }
+
+        break;
+      }
+      case "/list": {
+        try {
+          await api("/messages", {
+            method: "POST",
+            body: JSON.stringify({ command: "LIST" }),
+          });
+        } catch (err) {
+          addSystemMessage(
+            "Server",
+            `Failed to list channels: ${err.data?.error || "error"}`,
+          );
+        }
+
+        break;
+      }
+      case "/who": {
+        const whoTarget = parts[1] || (tab.type === "channel" ? tab.name : "");
+        if (whoTarget) {
+          try {
+            await api("/messages", {
+              method: "POST",
+              body: JSON.stringify({ command: "WHO", to: whoTarget }),
+            });
+          } catch (err) {
+            addSystemMessage(
+              "Server",
+              `WHO failed: ${err.data?.error || "error"}`,
+            );
+          }
+        } else {
+          addSystemMessage("Server", "Usage: /who #channel");
+        }
+
+        break;
+      }
+      case "/whois": {
+        if (parts[1]) {
+          try {
+            await api("/messages", {
+              method: "POST",
+              body: JSON.stringify({ command: "WHOIS", to: parts[1] }),
+            });
+          } catch (err) {
+            addSystemMessage(
+              "Server",
+              `WHOIS failed: ${err.data?.error || "error"}`,
+            );
+          }
+        } else {
+          addSystemMessage("Server", "Usage: /whois <nick>");
+        }
+
+        break;
+      }
+      case "/clear": {
+        const clearTarget = tab.name;
+        setMessages((prev) => ({ ...prev, [clearTarget]: [] }));
+
+        break;
+      }
       case "/help": {
         const helpLines = [
           "Available commands:",
           "  /join #channel        — Join a channel",
           "  /part [reason]        — Part the current channel",
           "  /msg nick message     — Send a private message",
+          "  /query nick [message] — Open a DM tab (optionally send a message)",
           "  /me action            — Send an action",
           "  /nick newnick         — Change your nickname",
           "  /topic [text]         — View or set channel topic",
           "  /mode +/-flags        — Set channel modes",
+          "  /motd                 — Display the message of the day",
+          "  /list                 — List all channels",
+          "  /who [#channel]       — List users in a channel",
+          "  /whois nick           — Show info about a user",
+          "  /clear                — Clear messages in the current tab",
           "  /quit [reason]        — Disconnect from server",
           "  /help                 — Show this help",
         ];

web/src/style.css

@@ -70,14 +70,14 @@ body,
 }
 
 .login-box .motd {
-  color: var(--text-dim);
+  color: var(--accent);
-  font-size: 12px;
+  font-size: 11px;
   margin-bottom: 20px;
   text-align: left;
-  white-space: pre-wrap;
+  white-space: pre;
   font-family: inherit;
-  border-left: 2px solid var(--border);
+  line-height: 1.2;
-  padding-left: 12px;
+  overflow-x: auto;
 }
 
 .login-box form {