test: add comprehensive IRC integration test with two clients (#100)

Adds `integration_test.go` with four test functions that exercise all major IRC features using real TCP connections.

## Tests

**TestIntegrationTwoClients** — sequential two-client test covering:
- NICK/USER registration (001-004 welcome burst)
- JOIN with cross-client visibility
- PRIVMSG channel (both directions)
- PRIVMSG DM (both directions)
- NOTICE channel and DM
- TOPIC set/get/lock/unlock
- MODE query, +m (moderated), +v (voice), -t/+t (topic lock)
- NAMES (with both nicks listed)
- LIST
- WHO
- WHOIS (with channels)
- LUSERS
- NICK change (with relay to other client)
- Duplicate NICK (ERR_NICKNAMEINUSE)
- KICK (with relay + reason)
- KICK non-op error (ERR_CHANOPRIVSNEEDED)
- PING/PONG
- Unknown command (ERR_UNKNOWNCOMMAND)
- MOTD
- AWAY set/clear/RPL_AWAY on DM
- PASS post-registration
- PART with reason + relay
- PART non-existent channel error
- User MODE query
- Multi-channel messaging
- QUIT with relay

**TestIntegrationModeSecret** — verifies +s mode set and query.

**TestIntegrationModeModerated** — verifies +m blocks non-voiced users and +v enables sending.

**TestIntegrationThirdClientObserver** — verifies three-client channel message fanout.

`docker build --no-cache .` passes clean (formatting, linting, all tests, build).

closes sneak/chat#97

Co-authored-by: user <user@Mac.lan guest wan>
Reviewed-on: #100
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>

README.md

@@ -1080,8 +1080,8 @@ the server to the client (never C2S) and use 3-digit string codes in the
 | `001` | RPL_WELCOME         | After session creation | `{"command":"001","to":"alice","body":["Welcome to the network, alice"]}` |
 | `002` | RPL_YOURHOST        | After session creation | `{"command":"002","to":"alice","body":["Your host is neoirc, running version 0.1"]}` |
 | `003` | RPL_CREATED         | After session creation | `{"command":"003","to":"alice","body":["This server was created 2026-02-10"]}` |
-| `004` | RPL_MYINFO          | After session creation | `{"command":"004","to":"alice","params":["neoirc","0.1","","mnst"]}` |
-| `005` | RPL_ISUPPORT        | After session creation | `{"command":"005","to":"alice","params":["CHANTYPES=#","NICKLEN=32","PREFIX=(ov)@+","CHANMODES=,,H,mnst","NETWORK=neoirc"],"body":["are supported by this server"]}` |
+| `004` | RPL_MYINFO          | After session creation | `{"command":"004","to":"alice","params":["neoirc","0.1","","ikmnostl"]}` |
+| `005` | RPL_ISUPPORT        | After session creation | `{"command":"005","to":"alice","params":["CHANTYPES=#","NICKLEN=32","PREFIX=(ov)@+","CHANMODES=b,k,Hl,imnst","NETWORK=neoirc"],"body":["are supported by this server"]}` |
 | `221` | RPL_UMODEIS         | In response to user MODE query | `{"command":"221","to":"alice","body":["+"]}` |
 | `251` | RPL_LUSERCLIENT     | On connect or LUSERS command | `{"command":"251","to":"alice","body":["There are 5 users and 0 invisible on 1 servers"]}` |
 | `252` | RPL_LUSEROP         | On connect or LUSERS command | `{"command":"252","to":"alice","params":["0"],"body":["operator(s) online"]}` |
@@ -1129,12 +1129,15 @@ Inspired by IRC, simplified:
 
 | Mode | Name           | Meaning | Status |
 |------|----------------|---------|--------|
+| `+b` | Ban            | Prevents matching hostmasks from joining or sending (parameter: `nick!user@host` mask with wildcards) | **Enforced** |
+| `+i` | Invite-only    | Only invited users can join; use `INVITE nick #channel` to invite | **Enforced** |
+| `+k` | Channel key    | Requires a password to join (parameter: key string) | **Enforced** |
+| `+l` | User limit     | Maximum number of members allowed in the channel (parameter: integer) | **Enforced** |
 | `+m` | Moderated      | Only voiced (`+v`) users and operators (`+o`) can send | **Enforced** |
-| `+t` | Topic lock     | Only operators can change the topic (default: ON) | **Enforced** |
 | `+n` | No external    | Only channel members can send messages to the channel | **Enforced** |
+| `+s` | Secret         | Channel hidden from LIST and WHOIS for non-members | **Enforced** |
+| `+t` | Topic lock     | Only operators can change the topic (default: ON) | **Enforced** |
 | `+H` | Hashcash       | Requires proof-of-work for PRIVMSG (parameter: bits, e.g. `+H 20`) | **Enforced** |
-| `+i` | Invite-only    | Only invited users can join | Not yet enforced |
-| `+s` | Secret         | Channel hidden from LIST response | Not yet enforced |
 
 **User channel modes (set per-user per-channel):**
 
@@ -1146,6 +1149,42 @@ Inspired by IRC, simplified:
 **Channel creator auto-op:** The first user to JOIN a channel (creating it)
 automatically receives `+o` operator status.
 
+**Ban system (+b):** Operators can ban users by hostmask pattern with wildcard
+matching (`*` and `?`). `MODE #channel +b` with no argument lists current bans.
+Bans prevent both joining and sending messages.
+
+```
+MODE #channel +b *!*@*.example.com   — ban all users from example.com
+MODE #channel -b *!*@*.example.com   — remove the ban
+MODE #channel +b                     — list all bans (RPL_BANLIST 367/368)
+```
+
+**Invite-only (+i):** When set, users must be invited by an operator before
+joining. The `INVITE` command records an invite that is consumed on JOIN.
+
+```
+MODE #channel +i                     — set invite-only
+INVITE nick #channel                 — invite a user (operator only on +i channels)
+```
+
+**Channel key (+k):** Requires a password to join the channel.
+
+```
+MODE #channel +k secretpass          — set a channel key
+MODE #channel -k *                   — remove the key
+JOIN #channel secretpass             — join with key
+```
+
+**User limit (+l):** Caps the number of members in the channel.
+
+```
+MODE #channel +l 50                  — set limit to 50 members
+MODE #channel -l                     — remove the limit
+```
+
+**Secret (+s):** Hides the channel from `LIST` for non-members and from
+`WHOIS` channel lists when the querier is not in the same channel.
+
 **KICK command:** Channel operators can remove users with `KICK #channel nick
 [:reason]`. The kicked user and all channel members receive the KICK message.
 
@@ -1154,7 +1193,7 @@ RPL_AWAY), and skips hashcash validation on +H channels (servers and services
 use NOTICE).
 
 **ISUPPORT:** The server advertises `PREFIX=(ov)@+` and
-`CHANMODES=,,H,mnst` in RPL_ISUPPORT (005).
+`CHANMODES=b,k,Hl,imnst` in RPL_ISUPPORT (005).
 
 ### Per-Channel Hashcash (Anti-Spam)
 
@@ -2760,7 +2799,7 @@ guess is borne by the server (bcrypt), not the client.
 - [x] **Client output queue pruning** — delete old client output queue entries per `QUEUE_MAX_AGE`
 - [x] **Message rotation** — prune messages older than `MESSAGE_MAX_AGE`
 - [x] **Channel modes** — enforce `+m` (moderated), `+t` (topic lock), `+n` (no external)
-- [ ] **Channel modes (tier 2)** — enforce `+i` (invite-only), `+s` (secret), `+b` (ban), `+k` (key), `+l` (limit)
+- [x] **Channel modes (tier 2)** — enforce `+i` (invite-only), `+s` (secret), `+b` (ban), `+k` (key), `+l` (limit)
 - [x] **User channel modes** — `+o` (operator), `+v` (voice) with NAMES prefixes
 - [x] **KICK command** — operator-only channel kick with broadcast
 - [x] **MODE command** — query and set channel/user modes

internal/db/db.go

@@ -135,13 +135,21 @@ type migration struct {
 func (database *Database) runMigrations(
 	ctx context.Context,
 ) error {
-	_, err := database.conn.ExecContext(ctx,
-		`CREATE TABLE IF NOT EXISTS schema_migrations (
-		 version INTEGER PRIMARY KEY,
-		 applied_at DATETIME DEFAULT CURRENT_TIMESTAMP)`)
+	bootstrap, err := SchemaFiles.ReadFile(
+		"schema/000.sql",
+	)
 	if err != nil {
 		return fmt.Errorf(
-			"create schema_migrations: %w", err,
+			"read bootstrap migration: %w", err,
+		)
+	}
+
+	_, err = database.conn.ExecContext(
+		ctx, string(bootstrap),
+	)
+	if err != nil {
+		return fmt.Errorf(
+			"execute bootstrap migration: %w", err,
 		)
 	}
 
@@ -270,6 +278,11 @@ func (database *Database) loadMigrations() (
 			continue
 		}
 
+		// Skip bootstrap migration; it is executed separately.
+		if version == 0 {
+			continue
+		}
+
 		content, readErr := SchemaFiles.ReadFile(
 			"schema/" + entry.Name(),
 		)

internal/db/queries.go

@@ -9,6 +9,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"strconv"
+	"strings"
 	"time"
 
 	"git.eeqj.de/sneak/neoirc/pkg/irc"
@@ -1835,3 +1836,580 @@ func (database *Database) PruneSpentHashcash(
 
 	return deleted, nil
 }
+
+// --- Tier 2: Ban system (+b) ---
+
+// BanInfo represents a channel ban entry.
+type BanInfo struct {
+	Mask      string
+	SetBy     string
+	CreatedAt time.Time
+}
+
+// AddChannelBan inserts a ban mask for a channel.
+func (database *Database) AddChannelBan(
+	ctx context.Context,
+	channelID int64,
+	mask, setBy string,
+) error {
+	_, err := database.conn.ExecContext(ctx,
+		`INSERT OR IGNORE INTO channel_bans
+		 (channel_id, mask, set_by, created_at)
+		 VALUES (?, ?, ?, ?)`,
+		channelID, mask, setBy, time.Now())
+	if err != nil {
+		return fmt.Errorf("add channel ban: %w", err)
+	}
+
+	return nil
+}
+
+// RemoveChannelBan removes a ban mask from a channel.
+func (database *Database) RemoveChannelBan(
+	ctx context.Context,
+	channelID int64,
+	mask string,
+) error {
+	_, err := database.conn.ExecContext(ctx,
+		`DELETE FROM channel_bans
+		 WHERE channel_id = ? AND mask = ?`,
+		channelID, mask)
+	if err != nil {
+		return fmt.Errorf("remove channel ban: %w", err)
+	}
+
+	return nil
+}
+
+// ListChannelBans returns all bans for a channel.
+//
+//nolint:dupl // different query+type vs filtered variant
+func (database *Database) ListChannelBans(
+	ctx context.Context,
+	channelID int64,
+) ([]BanInfo, error) {
+	rows, err := database.conn.QueryContext(ctx,
+		`SELECT mask, set_by, created_at
+		 FROM channel_bans
+		 WHERE channel_id = ?
+		 ORDER BY created_at ASC`,
+		channelID)
+	if err != nil {
+		return nil, fmt.Errorf("list channel bans: %w", err)
+	}
+
+	defer func() { _ = rows.Close() }()
+
+	var bans []BanInfo
+
+	for rows.Next() {
+		var ban BanInfo
+
+		if scanErr := rows.Scan(
+			&ban.Mask, &ban.SetBy, &ban.CreatedAt,
+		); scanErr != nil {
+			return nil, fmt.Errorf(
+				"scan channel ban: %w", scanErr,
+			)
+		}
+
+		bans = append(bans, ban)
+	}
+
+	if rowErr := rows.Err(); rowErr != nil {
+		return nil, fmt.Errorf(
+			"iterate channel bans: %w", rowErr,
+		)
+	}
+
+	return bans, nil
+}
+
+// IsSessionBanned checks if a session's hostmask matches
+// any ban in the channel. Returns true if banned.
+func (database *Database) IsSessionBanned(
+	ctx context.Context,
+	channelID, sessionID int64,
+) (bool, error) {
+	// Get the session's hostmask parts.
+	var nick, username, hostname string
+
+	err := database.conn.QueryRowContext(ctx,
+		`SELECT nick, username, hostname
+		 FROM sessions WHERE id = ?`,
+		sessionID,
+	).Scan(&nick, &username, &hostname)
+	if err != nil {
+		return false, fmt.Errorf(
+			"get session hostmask: %w", err,
+		)
+	}
+
+	hostmask := FormatHostmask(nick, username, hostname)
+
+	// Get all ban masks for the channel.
+	bans, banErr := database.ListChannelBans(ctx, channelID)
+	if banErr != nil {
+		return false, banErr
+	}
+
+	for _, ban := range bans {
+		if MatchBanMask(ban.Mask, hostmask) {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
+// MatchBanMask checks if hostmask matches a ban pattern
+// using IRC-style wildcard matching (* and ?).
+func MatchBanMask(pattern, hostmask string) bool {
+	return wildcardMatch(
+		strings.ToLower(pattern),
+		strings.ToLower(hostmask),
+	)
+}
+
+// wildcardMatch implements simple glob-style matching
+// with * (any sequence) and ? (any single character).
+func wildcardMatch(pattern, str string) bool {
+	for len(pattern) > 0 {
+		switch pattern[0] {
+		case '*':
+			// Skip consecutive asterisks.
+			for len(pattern) > 0 && pattern[0] == '*' {
+				pattern = pattern[1:]
+			}
+
+			if len(pattern) == 0 {
+				return true
+			}
+
+			for i := 0; i <= len(str); i++ {
+				if wildcardMatch(pattern, str[i:]) {
+					return true
+				}
+			}
+
+			return false
+		case '?':
+			if len(str) == 0 {
+				return false
+			}
+
+			pattern = pattern[1:]
+			str = str[1:]
+		default:
+			if len(str) == 0 || pattern[0] != str[0] {
+				return false
+			}
+
+			pattern = pattern[1:]
+			str = str[1:]
+		}
+	}
+
+	return len(str) == 0
+}
+
+// --- Tier 2: Invite-only (+i) ---
+
+// IsChannelInviteOnly checks if a channel has +i mode.
+func (database *Database) IsChannelInviteOnly(
+	ctx context.Context,
+	channelID int64,
+) (bool, error) {
+	var isInviteOnly int
+
+	err := database.conn.QueryRowContext(ctx,
+		`SELECT is_invite_only FROM channels
+		 WHERE id = ?`,
+		channelID,
+	).Scan(&isInviteOnly)
+	if err != nil {
+		return false, fmt.Errorf(
+			"check invite only: %w", err,
+		)
+	}
+
+	return isInviteOnly != 0, nil
+}
+
+// SetChannelInviteOnly sets or unsets +i mode.
+func (database *Database) SetChannelInviteOnly(
+	ctx context.Context,
+	channelID int64,
+	inviteOnly bool,
+) error {
+	val := 0
+	if inviteOnly {
+		val = 1
+	}
+
+	_, err := database.conn.ExecContext(ctx,
+		`UPDATE channels
+		 SET is_invite_only = ?, updated_at = ?
+		 WHERE id = ?`,
+		val, time.Now(), channelID)
+	if err != nil {
+		return fmt.Errorf(
+			"set invite only: %w", err,
+		)
+	}
+
+	return nil
+}
+
+// AddChannelInvite records that a session has been
+// invited to a channel.
+func (database *Database) AddChannelInvite(
+	ctx context.Context,
+	channelID, sessionID int64,
+	invitedBy string,
+) error {
+	_, err := database.conn.ExecContext(ctx,
+		`INSERT OR IGNORE INTO channel_invites
+		 (channel_id, session_id, invited_by, created_at)
+		 VALUES (?, ?, ?, ?)`,
+		channelID, sessionID, invitedBy, time.Now())
+	if err != nil {
+		return fmt.Errorf("add channel invite: %w", err)
+	}
+
+	return nil
+}
+
+// HasChannelInvite checks if a session has been invited
+// to a channel.
+func (database *Database) HasChannelInvite(
+	ctx context.Context,
+	channelID, sessionID int64,
+) (bool, error) {
+	var count int
+
+	err := database.conn.QueryRowContext(ctx,
+		`SELECT COUNT(*) FROM channel_invites
+		 WHERE channel_id = ? AND session_id = ?`,
+		channelID, sessionID,
+	).Scan(&count)
+	if err != nil {
+		return false, fmt.Errorf(
+			"check invite: %w", err,
+		)
+	}
+
+	return count > 0, nil
+}
+
+// ClearChannelInvite removes a session's invite to a
+// channel (called after successful JOIN).
+func (database *Database) ClearChannelInvite(
+	ctx context.Context,
+	channelID, sessionID int64,
+) error {
+	_, err := database.conn.ExecContext(ctx,
+		`DELETE FROM channel_invites
+		 WHERE channel_id = ? AND session_id = ?`,
+		channelID, sessionID)
+	if err != nil {
+		return fmt.Errorf("clear invite: %w", err)
+	}
+
+	return nil
+}
+
+// --- Tier 2: Secret (+s) ---
+
+// IsChannelSecret checks if a channel has +s mode.
+func (database *Database) IsChannelSecret(
+	ctx context.Context,
+	channelID int64,
+) (bool, error) {
+	var isSecret int
+
+	err := database.conn.QueryRowContext(ctx,
+		`SELECT is_secret FROM channels
+		 WHERE id = ?`,
+		channelID,
+	).Scan(&isSecret)
+	if err != nil {
+		return false, fmt.Errorf(
+			"check secret: %w", err,
+		)
+	}
+
+	return isSecret != 0, nil
+}
+
+// SetChannelSecret sets or unsets +s mode.
+func (database *Database) SetChannelSecret(
+	ctx context.Context,
+	channelID int64,
+	secret bool,
+) error {
+	val := 0
+	if secret {
+		val = 1
+	}
+
+	_, err := database.conn.ExecContext(ctx,
+		`UPDATE channels
+		 SET is_secret = ?, updated_at = ?
+		 WHERE id = ?`,
+		val, time.Now(), channelID)
+	if err != nil {
+		return fmt.Errorf("set secret: %w", err)
+	}
+
+	return nil
+}
+
+// --- No External Messages (+n) ---
+
+// IsChannelNoExternal checks if a channel has +n mode.
+func (database *Database) IsChannelNoExternal(
+	ctx context.Context,
+	channelID int64,
+) (bool, error) {
+	var isNoExternal int
+
+	err := database.conn.QueryRowContext(ctx,
+		`SELECT is_no_external FROM channels
+		 WHERE id = ?`,
+		channelID,
+	).Scan(&isNoExternal)
+	if err != nil {
+		return false, fmt.Errorf(
+			"check no external: %w", err,
+		)
+	}
+
+	return isNoExternal != 0, nil
+}
+
+// SetChannelNoExternal sets or unsets +n mode.
+func (database *Database) SetChannelNoExternal(
+	ctx context.Context,
+	channelID int64,
+	noExternal bool,
+) error {
+	val := 0
+	if noExternal {
+		val = 1
+	}
+
+	_, err := database.conn.ExecContext(ctx,
+		`UPDATE channels
+		 SET is_no_external = ?, updated_at = ?
+		 WHERE id = ?`,
+		val, time.Now(), channelID)
+	if err != nil {
+		return fmt.Errorf("set no external: %w", err)
+	}
+
+	return nil
+}
+
+// ListAllChannelsWithCountsFiltered returns all channels
+// with member counts, excluding secret channels that
+// the given session is not a member of.
+//
+//nolint:dupl // different query+type vs ListChannelBans
+func (database *Database) ListAllChannelsWithCountsFiltered(
+	ctx context.Context,
+	sessionID int64,
+) ([]ChannelInfoFull, error) {
+	rows, err := database.conn.QueryContext(ctx,
+		`SELECT c.name, COUNT(cm.id) AS member_count,
+		        c.topic
+		 FROM channels c
+		 LEFT JOIN channel_members cm
+		   ON cm.channel_id = c.id
+		 WHERE c.is_secret = 0
+		    OR c.id IN (
+		       SELECT channel_id FROM channel_members
+		       WHERE session_id = ?
+		    )
+		 GROUP BY c.id
+		 ORDER BY c.name ASC`,
+		sessionID)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"list channels filtered: %w", err,
+		)
+	}
+
+	defer func() { _ = rows.Close() }()
+
+	var channels []ChannelInfoFull
+
+	for rows.Next() {
+		var chanInfo ChannelInfoFull
+
+		if scanErr := rows.Scan(
+			&chanInfo.Name,
+			&chanInfo.MemberCount,
+			&chanInfo.Topic,
+		); scanErr != nil {
+			return nil, fmt.Errorf(
+				"scan channel: %w", scanErr,
+			)
+		}
+
+		channels = append(channels, chanInfo)
+	}
+
+	if rowErr := rows.Err(); rowErr != nil {
+		return nil, fmt.Errorf(
+			"iterate channels: %w", rowErr,
+		)
+	}
+
+	return channels, nil
+}
+
+// GetSessionChannelsFiltered returns channels a session
+// belongs to, optionally excluding secret channels for
+// WHOIS (when the querier is not in the same channel).
+// If querierID == targetID, returns all channels.
+func (database *Database) GetSessionChannelsFiltered(
+	ctx context.Context,
+	targetSID, querierSID int64,
+) ([]ChannelInfo, error) {
+	// If querying yourself, return all channels.
+	if targetSID == querierSID {
+		return database.GetSessionChannels(ctx, targetSID)
+	}
+
+	rows, err := database.conn.QueryContext(ctx,
+		`SELECT c.id, c.name, c.topic
+		 FROM channels c
+		 JOIN channel_members cm
+		   ON cm.channel_id = c.id
+		 WHERE cm.session_id = ?
+		   AND (c.is_secret = 0
+		        OR c.id IN (
+		           SELECT channel_id FROM channel_members
+		           WHERE session_id = ?
+		        ))
+		 ORDER BY c.name ASC`,
+		targetSID, querierSID)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"get session channels filtered: %w", err,
+		)
+	}
+
+	defer func() { _ = rows.Close() }()
+
+	var channels []ChannelInfo
+
+	for rows.Next() {
+		var chanInfo ChannelInfo
+
+		if scanErr := rows.Scan(
+			&chanInfo.ID,
+			&chanInfo.Name,
+			&chanInfo.Topic,
+		); scanErr != nil {
+			return nil, fmt.Errorf(
+				"scan channel: %w", scanErr,
+			)
+		}
+
+		channels = append(channels, chanInfo)
+	}
+
+	if rowErr := rows.Err(); rowErr != nil {
+		return nil, fmt.Errorf(
+			"iterate channels: %w", rowErr,
+		)
+	}
+
+	return channels, nil
+}
+
+// --- Tier 2: Channel Key (+k) ---
+
+// GetChannelKey returns the key for a channel (empty
+// string means no key set).
+func (database *Database) GetChannelKey(
+	ctx context.Context,
+	channelID int64,
+) (string, error) {
+	var key string
+
+	err := database.conn.QueryRowContext(ctx,
+		`SELECT channel_key FROM channels
+		 WHERE id = ?`,
+		channelID,
+	).Scan(&key)
+	if err != nil {
+		return "", fmt.Errorf("get channel key: %w", err)
+	}
+
+	return key, nil
+}
+
+// SetChannelKey sets or clears the key for a channel.
+func (database *Database) SetChannelKey(
+	ctx context.Context,
+	channelID int64,
+	key string,
+) error {
+	_, err := database.conn.ExecContext(ctx,
+		`UPDATE channels
+		 SET channel_key = ?, updated_at = ?
+		 WHERE id = ?`,
+		key, time.Now(), channelID)
+	if err != nil {
+		return fmt.Errorf("set channel key: %w", err)
+	}
+
+	return nil
+}
+
+// --- Tier 2: User Limit (+l) ---
+
+// GetChannelUserLimit returns the user limit for a
+// channel (0 means no limit).
+func (database *Database) GetChannelUserLimit(
+	ctx context.Context,
+	channelID int64,
+) (int, error) {
+	var limit int
+
+	err := database.conn.QueryRowContext(ctx,
+		`SELECT user_limit FROM channels
+		 WHERE id = ?`,
+		channelID,
+	).Scan(&limit)
+	if err != nil {
+		return 0, fmt.Errorf(
+			"get channel user limit: %w", err,
+		)
+	}
+
+	return limit, nil
+}
+
+// SetChannelUserLimit sets the user limit for a channel.
+func (database *Database) SetChannelUserLimit(
+	ctx context.Context,
+	channelID int64,
+	limit int,
+) error {
+	_, err := database.conn.ExecContext(ctx,
+		`UPDATE channels
+		 SET user_limit = ?, updated_at = ?
+		 WHERE id = ?`,
+		limit, time.Now(), channelID)
+	if err != nil {
+		return fmt.Errorf(
+			"set channel user limit: %w", err,
+		)
+	}
+
+	return nil
+}

internal/db/queries_test.go

@@ -1017,3 +1017,474 @@ func TestGetOperCount(t *testing.T) {
 		t.Fatalf("expected 1 oper, got %d", count)
 	}
 }
+
+// --- Tier 2 Tests ---
+
+func TestWildcardMatch(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		pattern string
+		input   string
+		match   bool
+	}{
+		{"*!*@*", "nick!user@host", true},
+		{"*!*@*.example.com", "nick!user@foo.example.com", true},
+		{"*!*@*.example.com", "nick!user@other.net", false},
+		{"badnick!*@*", "badnick!user@host", true},
+		{"badnick!*@*", "goodnick!user@host", false},
+		{"nick!user@host", "nick!user@host", true},
+		{"nick!user@host", "nick!user@other", false},
+		{"*", "anything", true},
+		{"?ick!*@*", "nick!user@host", true},
+		{"?ick!*@*", "nn!user@host", false},
+		// Case-insensitive.
+		{"Nick!*@*", "nick!user@host", true},
+	}
+
+	for _, tc := range tests {
+		result := db.MatchBanMask(tc.pattern, tc.input)
+		if result != tc.match {
+			t.Errorf(
+				"MatchBanMask(%q, %q) = %v, want %v",
+				tc.pattern, tc.input, result, tc.match,
+			)
+		}
+	}
+}
+
+func TestChannelBanCRUD(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	chID, err := database.GetOrCreateChannel(ctx, "#test")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// No bans initially.
+	bans, err := database.ListChannelBans(ctx, chID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(bans) != 0 {
+		t.Fatalf("expected 0 bans, got %d", len(bans))
+	}
+
+	// Add a ban.
+	err = database.AddChannelBan(
+		ctx, chID, "*!*@evil.com", "op",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	bans, err = database.ListChannelBans(ctx, chID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(bans) != 1 {
+		t.Fatalf("expected 1 ban, got %d", len(bans))
+	}
+
+	if bans[0].Mask != "*!*@evil.com" {
+		t.Fatalf("wrong mask: %s", bans[0].Mask)
+	}
+
+	// Duplicate add is ignored (OR IGNORE).
+	err = database.AddChannelBan(
+		ctx, chID, "*!*@evil.com", "op2",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	bans, _ = database.ListChannelBans(ctx, chID)
+	if len(bans) != 1 {
+		t.Fatalf("expected 1 ban after dup, got %d", len(bans))
+	}
+
+	// Remove ban.
+	err = database.RemoveChannelBan(
+		ctx, chID, "*!*@evil.com",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	bans, _ = database.ListChannelBans(ctx, chID)
+	if len(bans) != 0 {
+		t.Fatalf("expected 0 bans after remove, got %d", len(bans))
+	}
+}
+
+func TestIsSessionBanned(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sid, _, _, err := database.CreateSession(
+		ctx, "victim", "victim", "evil.com", "",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	chID, err := database.GetOrCreateChannel(ctx, "#bantest")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Not banned initially.
+	banned, err := database.IsSessionBanned(ctx, chID, sid)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if banned {
+		t.Fatal("should not be banned initially")
+	}
+
+	// Add ban matching the hostmask.
+	err = database.AddChannelBan(
+		ctx, chID, "*!*@evil.com", "op",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	banned, err = database.IsSessionBanned(ctx, chID, sid)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if !banned {
+		t.Fatal("should be banned")
+	}
+}
+
+func TestChannelInviteOnly(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	chID, err := database.GetOrCreateChannel(ctx, "#invite")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Default: not invite-only.
+	isIO, err := database.IsChannelInviteOnly(ctx, chID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if isIO {
+		t.Fatal("should not be invite-only by default")
+	}
+
+	// Set invite-only.
+	err = database.SetChannelInviteOnly(ctx, chID, true)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	isIO, _ = database.IsChannelInviteOnly(ctx, chID)
+	if !isIO {
+		t.Fatal("should be invite-only")
+	}
+
+	// Unset.
+	err = database.SetChannelInviteOnly(ctx, chID, false)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	isIO, _ = database.IsChannelInviteOnly(ctx, chID)
+	if isIO {
+		t.Fatal("should not be invite-only")
+	}
+}
+
+func TestChannelInviteCRUD(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sid, _, _, err := database.CreateSession(
+		ctx, "invited", "", "", "",
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	chID, err := database.GetOrCreateChannel(ctx, "#inv")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// No invite initially.
+	has, err := database.HasChannelInvite(ctx, chID, sid)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if has {
+		t.Fatal("should not have invite")
+	}
+
+	// Add invite.
+	err = database.AddChannelInvite(ctx, chID, sid, "op")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	has, _ = database.HasChannelInvite(ctx, chID, sid)
+	if !has {
+		t.Fatal("should have invite")
+	}
+
+	// Clear invite.
+	err = database.ClearChannelInvite(ctx, chID, sid)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	has, _ = database.HasChannelInvite(ctx, chID, sid)
+	if has {
+		t.Fatal("invite should be cleared")
+	}
+}
+
+func TestChannelSecret(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	chID, err := database.GetOrCreateChannel(ctx, "#secret")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Default: not secret.
+	isSec, err := database.IsChannelSecret(ctx, chID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if isSec {
+		t.Fatal("should not be secret by default")
+	}
+
+	err = database.SetChannelSecret(ctx, chID, true)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	isSec, _ = database.IsChannelSecret(ctx, chID)
+	if !isSec {
+		t.Fatal("should be secret")
+	}
+}
+
+// createTestSession is a helper to create a session and
+// return only the session ID.
+func createTestSession(
+	t *testing.T,
+	database *db.Database,
+	nick string,
+) int64 {
+	t.Helper()
+
+	sid, _, _, err := database.CreateSession(
+		t.Context(), nick, "", "", "",
+	)
+	if err != nil {
+		t.Fatalf("create session %s: %v", nick, err)
+	}
+
+	return sid
+}
+
+func TestSecretChannelFiltering(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	// Create two sessions.
+	sid1 := createTestSession(t, database, "member")
+	sid2 := createTestSession(t, database, "outsider")
+
+	// Create a secret channel.
+	chID, _ := database.GetOrCreateChannel(ctx, "#secret")
+	_ = database.SetChannelSecret(ctx, chID, true)
+	_ = database.JoinChannel(ctx, chID, sid1)
+
+	// Create a non-secret channel.
+	chID2, _ := database.GetOrCreateChannel(ctx, "#public")
+	_ = database.JoinChannel(ctx, chID2, sid1)
+
+	// Member should see both.
+	list, err := database.ListAllChannelsWithCountsFiltered(
+		ctx, sid1,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(list) != 2 {
+		t.Fatalf("member should see 2 channels, got %d", len(list))
+	}
+
+	// Outsider should only see public.
+	list, _ = database.ListAllChannelsWithCountsFiltered(
+		ctx, sid2,
+	)
+	if len(list) != 1 {
+		t.Fatalf("outsider should see 1 channel, got %d", len(list))
+	}
+
+	if list[0].Name != "#public" {
+		t.Fatalf("outsider should see #public, got %s", list[0].Name)
+	}
+}
+
+func TestWhoisChannelFiltering(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	sid1 := createTestSession(t, database, "target")
+	sid2 := createTestSession(t, database, "querier")
+
+	// Create secret channel, target joins it.
+	chID, _ := database.GetOrCreateChannel(ctx, "#hidden")
+	_ = database.SetChannelSecret(ctx, chID, true)
+	_ = database.JoinChannel(ctx, chID, sid1)
+
+	// Querier (non-member) should not see the channel.
+	channels, err := database.GetSessionChannelsFiltered(
+		ctx, sid1, sid2,
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(channels) != 0 {
+		t.Fatalf(
+			"querier should see 0 channels, got %d",
+			len(channels),
+		)
+	}
+
+	// Target querying self should see it.
+	channels, _ = database.GetSessionChannelsFiltered(
+		ctx, sid1, sid1,
+	)
+	if len(channels) != 1 {
+		t.Fatalf(
+			"self-query should see 1 channel, got %d",
+			len(channels),
+		)
+	}
+}
+
+//nolint:dupl // structurally similar to TestChannelUserLimit
+func TestChannelKey(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	chID, err := database.GetOrCreateChannel(ctx, "#keyed")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Default: no key.
+	key, err := database.GetChannelKey(ctx, chID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if key != "" {
+		t.Fatalf("expected empty key, got %q", key)
+	}
+
+	// Set key.
+	err = database.SetChannelKey(ctx, chID, "secret123")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	key, _ = database.GetChannelKey(ctx, chID)
+	if key != "secret123" {
+		t.Fatalf("expected secret123, got %q", key)
+	}
+
+	// Clear key.
+	err = database.SetChannelKey(ctx, chID, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	key, _ = database.GetChannelKey(ctx, chID)
+	if key != "" {
+		t.Fatalf("expected empty key, got %q", key)
+	}
+}
+
+//nolint:dupl // structurally similar to TestChannelKey
+func TestChannelUserLimit(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	chID, err := database.GetOrCreateChannel(ctx, "#limited")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Default: no limit.
+	limit, err := database.GetChannelUserLimit(ctx, chID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if limit != 0 {
+		t.Fatalf("expected 0 limit, got %d", limit)
+	}
+
+	// Set limit.
+	err = database.SetChannelUserLimit(ctx, chID, 50)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	limit, _ = database.GetChannelUserLimit(ctx, chID)
+	if limit != 50 {
+		t.Fatalf("expected 50, got %d", limit)
+	}
+
+	// Clear limit.
+	err = database.SetChannelUserLimit(ctx, chID, 0)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	limit, _ = database.GetChannelUserLimit(ctx, chID)
+	if limit != 0 {
+		t.Fatalf("expected 0, got %d", limit)
+	}
+}

internal/db/schema/000.sql

@@ -0,0 +1,6 @@
+-- Bootstrap: create the schema_migrations table itself.
+CREATE TABLE IF NOT EXISTS schema_migrations (
+    version INTEGER PRIMARY KEY,
+    applied_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+INSERT OR IGNORE INTO schema_migrations (version) VALUES (0);

internal/db/schema/001_initial.sql

@@ -42,10 +42,37 @@ CREATE TABLE IF NOT EXISTS channels (
     hashcash_bits INTEGER NOT NULL DEFAULT 0,
     is_moderated INTEGER NOT NULL DEFAULT 0,
     is_topic_locked INTEGER NOT NULL DEFAULT 1,
+    is_invite_only INTEGER NOT NULL DEFAULT 0,
+    is_secret INTEGER NOT NULL DEFAULT 0,
+    is_no_external INTEGER NOT NULL DEFAULT 1,
+    channel_key TEXT NOT NULL DEFAULT '',
+    user_limit INTEGER NOT NULL DEFAULT 0,
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
     updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
 );
 
+-- Channel bans
+CREATE TABLE IF NOT EXISTS channel_bans (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    channel_id INTEGER NOT NULL REFERENCES channels(id) ON DELETE CASCADE,
+    mask TEXT NOT NULL,
+    set_by TEXT NOT NULL,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    UNIQUE(channel_id, mask)
+);
+CREATE INDEX IF NOT EXISTS idx_channel_bans_channel ON channel_bans(channel_id);
+
+-- Channel invites (in-memory would be simpler but DB survives restarts)
+CREATE TABLE IF NOT EXISTS channel_invites (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    channel_id INTEGER NOT NULL REFERENCES channels(id) ON DELETE CASCADE,
+    session_id INTEGER NOT NULL REFERENCES sessions(id) ON DELETE CASCADE,
+    invited_by TEXT NOT NULL DEFAULT '',
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    UNIQUE(channel_id, session_id)
+);
+CREATE INDEX IF NOT EXISTS idx_channel_invites_channel ON channel_invites(channel_id);
+
 -- Channel members
 CREATE TABLE IF NOT EXISTS channel_members (
     id INTEGER PRIMARY KEY AUTOINCREMENT,

internal/handlers/api.go

@@ -402,7 +402,7 @@ func (hdlr *Handlers) deliverWelcome(
 	// 004 RPL_MYINFO
 	hdlr.enqueueNumeric(
 		ctx, clientID, irc.RplMyInfo, nick,
-		[]string{srvName, version, "", "mnst"},
+		[]string{srvName, version, "", "ikmnostl"},
 		"",
 	)
 
@@ -413,7 +413,7 @@ func (hdlr *Handlers) deliverWelcome(
 			"CHANTYPES=#",
 			"NICKLEN=32",
 			"PREFIX=(ov)@+",
-			"CHANMODES=,,H,mnst",
+			"CHANMODES=b,k,Hl,imnst",
 			"NETWORK=neoirc",
 			"CASEMAPPING=ascii",
 		},
@@ -984,6 +984,7 @@ func (hdlr *Handlers) dispatchCommand(
 		hdlr.handleJoin(
 			writer, request,
 			sessionID, clientID, nick, target,
+			bodyLines,
 		)
 	case irc.CmdPart:
 		hdlr.handlePart(
@@ -1006,6 +1007,11 @@ func (hdlr *Handlers) dispatchCommand(
 			sessionID, clientID, nick,
 			target, body, bodyLines,
 		)
+	case irc.CmdInvite:
+		hdlr.handleInvite(
+			writer, request,
+			sessionID, clientID, nick, bodyLines,
+		)
 	case irc.CmdKick:
 		hdlr.handleKick(
 			writer, request,
@@ -1451,6 +1457,7 @@ func (hdlr *Handlers) handleJoin(
 	request *http.Request,
 	sessionID, clientID int64,
 	nick, target string,
+	bodyLines func() []string,
 ) {
 	if target == "" {
 		hdlr.respondIRCError(
@@ -1477,9 +1484,17 @@ func (hdlr *Handlers) handleJoin(
 		return
 	}
 
+	// Extract key from body lines (JOIN #channel key).
+	var suppliedKey string
+
+	lines := bodyLines()
+	if len(lines) > 0 {
+		suppliedKey = lines[0]
+	}
+
 	hdlr.executeJoin(
 		writer, request,
-		sessionID, clientID, nick, channel,
+		sessionID, clientID, nick, channel, suppliedKey,
 	)
 }
 
@@ -1487,10 +1502,11 @@ func (hdlr *Handlers) executeJoin(
 	writer http.ResponseWriter,
 	request *http.Request,
 	sessionID, clientID int64,
-	nick, channel string,
+	nick, channel, suppliedKey string,
 ) {
 	result, err := hdlr.svc.JoinChannel(
-		request.Context(), sessionID, nick, channel,
+		request.Context(), sessionID, nick,
+		channel, suppliedKey,
 	)
 	if hdlr.handleServiceError(
 		writer, request,
@@ -2000,33 +2016,14 @@ func (hdlr *Handlers) handleChannelMode(
 }
 
 // buildChannelModeString constructs the current mode
-// string for a channel, including +n (always on), +t, +m,
-// and +H with its parameter.
+// string for a channel by delegating to the service
+// layer's QueryChannelMode, which returns the complete
+// mode string including all flags and parameters.
 func (hdlr *Handlers) buildChannelModeString(
 	ctx context.Context,
 	chID int64,
 ) string {
-	modes := "+n"
-
-	isTopicLocked, tlErr := hdlr.params.Database.
-		IsChannelTopicLocked(ctx, chID)
-	if tlErr == nil && isTopicLocked {
-		modes += "t"
-	}
-
-	isModerated, modErr := hdlr.params.Database.
-		IsChannelModerated(ctx, chID)
-	if modErr == nil && isModerated {
-		modes += "m"
-	}
-
-	bits, bitsErr := hdlr.params.Database.
-		GetChannelHashcashBits(ctx, chID)
-	if bitsErr == nil && bits > 0 {
-		modes += fmt.Sprintf("H %d", bits)
-	}
-
-	return modes
+	return hdlr.svc.QueryChannelMode(ctx, chID)
 }
 
 // queryChannelMode sends RPL_CHANNELMODEIS and
@@ -2084,9 +2081,39 @@ func (hdlr *Handlers) applyChannelMode(
 	chID int64,
 	modeArgs []string,
 ) {
-	ctx := request.Context()
 	modeStr := modeArgs[0]
 
+	if hdlr.applyUserModeIfMatched(
+		writer, request, sessionID, clientID,
+		nick, channel, chID, modeStr, modeArgs,
+	) {
+		return
+	}
+
+	if hdlr.applyChannelFlagIfMatched(
+		writer, request, sessionID, clientID,
+		nick, channel, chID, modeStr,
+	) {
+		return
+	}
+
+	hdlr.applyParameterizedMode(
+		writer, request, sessionID, clientID,
+		nick, channel, chID, modeStr, modeArgs,
+	)
+}
+
+// applyUserModeIfMatched handles +o/-o and +v/-v.
+// Returns true if the mode was handled.
+func (hdlr *Handlers) applyUserModeIfMatched(
+	writer http.ResponseWriter,
+	request *http.Request,
+	sessionID, clientID int64,
+	nick, channel string,
+	chID int64,
+	modeStr string,
+	modeArgs []string,
+) bool {
 	switch modeStr {
 	case "+o", "-o":
 		hdlr.applyUserMode(
@@ -2094,35 +2121,104 @@ func (hdlr *Handlers) applyChannelMode(
 			sessionID, clientID, nick,
 			channel, chID, modeArgs, true,
 		)
+
+		return true
 	case "+v", "-v":
 		hdlr.applyUserMode(
 			writer, request,
 			sessionID, clientID, nick,
 			channel, chID, modeArgs, false,
 		)
-	case "+m":
+
+		return true
+	default:
+		return false
+	}
+}
+
+// applyChannelFlagIfMatched handles simple boolean modes
+// (+m/-m, +t/-t, +i/-i, +s/-s).
+// Returns true if the mode was handled.
+func (hdlr *Handlers) applyChannelFlagIfMatched(
+	writer http.ResponseWriter,
+	request *http.Request,
+	sessionID, clientID int64,
+	nick, channel string,
+	chID int64,
+	modeStr string,
+) bool {
+	flagMap := map[string]struct {
+		flag    string
+		setting bool
+	}{
+		"+m": {"m", true}, "-m": {"m", false},
+		"+t": {"t", true}, "-t": {"t", false},
+		"+i": {"i", true}, "-i": {"i", false},
+		"+s": {"s", true}, "-s": {"s", false},
+	}
+
+	entry, exists := flagMap[modeStr]
+	if !exists {
+		return false
+	}
+
 	hdlr.setChannelFlag(
 		writer, request,
 		sessionID, clientID, nick,
-			channel, chID, "m", true,
+		channel, chID, entry.flag, entry.setting,
 	)
-	case "-m":
-		hdlr.setChannelFlag(
+
+	return true
+}
+
+// applyParameterizedMode handles modes that take
+// parameters (+k/-k, +l/-l, +b/-b, +H/-H) and
+// unknown modes.
+func (hdlr *Handlers) applyParameterizedMode(
+	writer http.ResponseWriter,
+	request *http.Request,
+	sessionID, clientID int64,
+	nick, channel string,
+	chID int64,
+	modeStr string,
+	modeArgs []string,
+) {
+	switch modeStr {
+	case "+k":
+		hdlr.setChannelKeyMode(
 			writer, request,
 			sessionID, clientID, nick,
-			channel, chID, "m", false,
+			channel, chID, modeArgs,
 		)
-	case "+t":
-		hdlr.setChannelFlag(
+	case "-k":
+		hdlr.clearChannelKeyMode(
 			writer, request,
 			sessionID, clientID, nick,
-			channel, chID, "t", true,
+			channel, chID,
 		)
-	case "-t":
-		hdlr.setChannelFlag(
+	case "+l":
+		hdlr.setChannelLimitMode(
 			writer, request,
 			sessionID, clientID, nick,
-			channel, chID, "t", false,
+			channel, chID, modeArgs,
+		)
+	case "-l":
+		hdlr.clearChannelLimitMode(
+			writer, request,
+			sessionID, clientID, nick,
+			channel, chID,
+		)
+	case "+b":
+		hdlr.handleBanMode(
+			writer, request,
+			sessionID, clientID, nick,
+			channel, chID, modeArgs, true,
+		)
+	case "-b":
+		hdlr.handleBanMode(
+			writer, request,
+			sessionID, clientID, nick,
+			channel, chID, modeArgs, false,
 		)
 	case "+H":
 		hdlr.setHashcashMode(
@@ -2137,9 +2233,9 @@ func (hdlr *Handlers) applyChannelMode(
 			channel, chID,
 		)
 	default:
-		// Unknown or unsupported mode change.
 		hdlr.enqueueNumeric(
-			ctx, clientID, irc.ErrUnknownMode, nick,
+			request.Context(), clientID,
+			irc.ErrUnknownMode, nick,
 			[]string{modeStr},
 			"is unknown mode char to me",
 		)
@@ -2394,6 +2490,570 @@ func (hdlr *Handlers) clearHashcashMode(
 		http.StatusOK)
 }
 
+// handleBanMode handles MODE #channel +b/-b [mask].
+// +b with no argument lists bans; +b with argument adds
+// a ban; -b removes a ban.
+func (hdlr *Handlers) handleBanMode(
+	writer http.ResponseWriter,
+	request *http.Request,
+	sessionID, clientID int64,
+	nick, channel string,
+	chID int64,
+	modeArgs []string,
+	adding bool,
+) {
+	// +b with no argument: list bans.
+	if adding && len(modeArgs) < 2 {
+		hdlr.listBans(
+			writer, request,
+			sessionID, clientID, nick, channel, chID,
+		)
+
+		return
+	}
+
+	if !hdlr.requireChannelOp(
+		writer, request,
+		sessionID, clientID, nick, channel, chID,
+	) {
+		return
+	}
+
+	if len(modeArgs) < 2 { //nolint:mnd // mode + mask
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrNeedMoreParams, nick,
+			[]string{irc.CmdMode},
+			"Not enough parameters",
+		)
+
+		return
+	}
+
+	hdlr.executeBanChange(
+		writer, request, nick, channel,
+		chID, modeArgs[1], adding,
+	)
+}
+
+// executeBanChange applies a ban add/remove and
+// broadcasts the mode change.
+func (hdlr *Handlers) executeBanChange(
+	writer http.ResponseWriter,
+	request *http.Request,
+	nick, channel string,
+	chID int64,
+	mask string,
+	adding bool,
+) {
+	ctx := request.Context()
+
+	var err error
+	if adding {
+		err = hdlr.params.Database.AddChannelBan(
+			ctx, chID, mask, nick,
+		)
+	} else {
+		err = hdlr.params.Database.RemoveChannelBan(
+			ctx, chID, mask,
+		)
+	}
+
+	if err != nil {
+		hdlr.log.Error(
+			"ban mode change failed", "error", err,
+		)
+		hdlr.respondError(
+			writer, request,
+			"internal error",
+			http.StatusInternalServerError,
+		)
+
+		return
+	}
+
+	modePrefix := "+"
+	if !adding {
+		modePrefix = "-"
+	}
+
+	memberIDs, _ := hdlr.params.Database.
+		GetChannelMemberIDs(ctx, chID)
+
+	modeBody, mErr := json.Marshal(
+		[]string{modePrefix + "b", mask},
+	)
+	if mErr == nil {
+		_ = hdlr.fanOutSilent(
+			request, irc.CmdMode, nick, channel,
+			json.RawMessage(modeBody), memberIDs,
+		)
+	}
+
+	hdlr.respondJSON(writer, request,
+		map[string]string{"status": "ok"},
+		http.StatusOK)
+}
+
+// listBans sends RPL_BANLIST (367) and
+// RPL_ENDOFBANLIST (368) for a channel.
+func (hdlr *Handlers) listBans(
+	writer http.ResponseWriter,
+	request *http.Request,
+	sessionID, clientID int64,
+	nick, channel string,
+	chID int64,
+) {
+	ctx := request.Context()
+
+	bans, err := hdlr.params.Database.ListChannelBans(
+		ctx, chID,
+	)
+	if err != nil {
+		hdlr.log.Error(
+			"list bans failed", "error", err,
+		)
+		hdlr.respondError(
+			writer, request,
+			"internal error",
+			http.StatusInternalServerError,
+		)
+
+		return
+	}
+
+	for _, ban := range bans {
+		hdlr.enqueueNumeric(
+			ctx, clientID, irc.RplBanList, nick,
+			[]string{
+				channel,
+				ban.Mask,
+				ban.SetBy,
+				strconv.FormatInt(
+					ban.CreatedAt.Unix(), 10,
+				),
+			},
+			"",
+		)
+	}
+
+	hdlr.enqueueNumeric(
+		ctx, clientID, irc.RplEndOfBanList, nick,
+		[]string{channel},
+		"End of channel ban list",
+	)
+
+	hdlr.broker.Notify(sessionID)
+	hdlr.respondJSON(writer, request,
+		map[string]string{"status": "ok"},
+		http.StatusOK)
+}
+
+// setChannelKeyMode handles MODE #channel +k <key>.
+func (hdlr *Handlers) setChannelKeyMode(
+	writer http.ResponseWriter,
+	request *http.Request,
+	sessionID, clientID int64,
+	nick, channel string,
+	chID int64,
+	modeArgs []string,
+) {
+	ctx := request.Context()
+
+	if !hdlr.requireChannelOp(
+		writer, request,
+		sessionID, clientID, nick, channel, chID,
+	) {
+		return
+	}
+
+	if len(modeArgs) < 2 { //nolint:mnd // +k requires key arg
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrNeedMoreParams, nick,
+			[]string{irc.CmdMode},
+			"Not enough parameters (+k requires a key)",
+		)
+
+		return
+	}
+
+	key := modeArgs[1]
+
+	err := hdlr.params.Database.SetChannelKey(
+		ctx, chID, key,
+	)
+	if err != nil {
+		hdlr.log.Error(
+			"set channel key failed", "error", err,
+		)
+		hdlr.respondError(
+			writer, request,
+			"internal error",
+			http.StatusInternalServerError,
+		)
+
+		return
+	}
+
+	// Broadcast +k mode change.
+	memberIDs, _ := hdlr.params.Database.
+		GetChannelMemberIDs(ctx, chID)
+
+	modeBody, mErr := json.Marshal([]string{"+k", key})
+	if mErr == nil {
+		_ = hdlr.fanOutSilent(
+			request, irc.CmdMode, nick, channel,
+			json.RawMessage(modeBody), memberIDs,
+		)
+	}
+
+	hdlr.respondJSON(writer, request,
+		map[string]string{"status": "ok"},
+		http.StatusOK)
+}
+
+// clearChannelKeyMode handles MODE #channel -k *.
+func (hdlr *Handlers) clearChannelKeyMode(
+	writer http.ResponseWriter,
+	request *http.Request,
+	sessionID, clientID int64,
+	nick, channel string,
+	chID int64,
+) {
+	ctx := request.Context()
+
+	if !hdlr.requireChannelOp(
+		writer, request,
+		sessionID, clientID, nick, channel, chID,
+	) {
+		return
+	}
+
+	err := hdlr.params.Database.SetChannelKey(
+		ctx, chID, "",
+	)
+	if err != nil {
+		hdlr.log.Error(
+			"clear channel key failed", "error", err,
+		)
+		hdlr.respondError(
+			writer, request,
+			"internal error",
+			http.StatusInternalServerError,
+		)
+
+		return
+	}
+
+	memberIDs, _ := hdlr.params.Database.
+		GetChannelMemberIDs(ctx, chID)
+
+	modeBody, mErr := json.Marshal([]string{"-k", "*"})
+	if mErr == nil {
+		_ = hdlr.fanOutSilent(
+			request, irc.CmdMode, nick, channel,
+			json.RawMessage(modeBody), memberIDs,
+		)
+	}
+
+	hdlr.respondJSON(writer, request,
+		map[string]string{"status": "ok"},
+		http.StatusOK)
+}
+
+// setChannelLimitMode handles MODE #channel +l <limit>.
+func (hdlr *Handlers) setChannelLimitMode(
+	writer http.ResponseWriter,
+	request *http.Request,
+	sessionID, clientID int64,
+	nick, channel string,
+	chID int64,
+	modeArgs []string,
+) {
+	ctx := request.Context()
+
+	if !hdlr.requireChannelOp(
+		writer, request,
+		sessionID, clientID, nick, channel, chID,
+	) {
+		return
+	}
+
+	if len(modeArgs) < 2 { //nolint:mnd // +l requires limit arg
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrNeedMoreParams, nick,
+			[]string{irc.CmdMode},
+			"Not enough parameters (+l requires a limit)",
+		)
+
+		return
+	}
+
+	limit, parseErr := strconv.Atoi(modeArgs[1])
+	if parseErr != nil || limit <= 0 {
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrUnknownMode, nick, []string{"+l"},
+			"Invalid user limit (must be positive integer)",
+		)
+
+		return
+	}
+
+	err := hdlr.params.Database.SetChannelUserLimit(
+		ctx, chID, limit,
+	)
+	if err != nil {
+		hdlr.log.Error(
+			"set channel user limit failed", "error", err,
+		)
+		hdlr.respondError(
+			writer, request,
+			"internal error",
+			http.StatusInternalServerError,
+		)
+
+		return
+	}
+
+	// Broadcast +l mode change.
+	memberIDs, _ := hdlr.params.Database.
+		GetChannelMemberIDs(ctx, chID)
+
+	modeBody, mErr := json.Marshal(
+		[]string{"+l", modeArgs[1]},
+	)
+	if mErr == nil {
+		_ = hdlr.fanOutSilent(
+			request, irc.CmdMode, nick, channel,
+			json.RawMessage(modeBody), memberIDs,
+		)
+	}
+
+	hdlr.respondJSON(writer, request,
+		map[string]string{"status": "ok"},
+		http.StatusOK)
+}
+
+// clearChannelLimitMode handles MODE #channel -l.
+func (hdlr *Handlers) clearChannelLimitMode(
+	writer http.ResponseWriter,
+	request *http.Request,
+	sessionID, clientID int64,
+	nick, channel string,
+	chID int64,
+) {
+	ctx := request.Context()
+
+	if !hdlr.requireChannelOp(
+		writer, request,
+		sessionID, clientID, nick, channel, chID,
+	) {
+		return
+	}
+
+	err := hdlr.params.Database.SetChannelUserLimit(
+		ctx, chID, 0,
+	)
+	if err != nil {
+		hdlr.log.Error(
+			"clear channel user limit failed",
+			"error", err,
+		)
+		hdlr.respondError(
+			writer, request,
+			"internal error",
+			http.StatusInternalServerError,
+		)
+
+		return
+	}
+
+	memberIDs, _ := hdlr.params.Database.
+		GetChannelMemberIDs(ctx, chID)
+
+	modeBody, mErr := json.Marshal([]string{"-l"})
+	if mErr == nil {
+		_ = hdlr.fanOutSilent(
+			request, irc.CmdMode, nick, channel,
+			json.RawMessage(modeBody), memberIDs,
+		)
+	}
+
+	hdlr.respondJSON(writer, request,
+		map[string]string{"status": "ok"},
+		http.StatusOK)
+}
+
+// handleInvite processes the INVITE command.
+func (hdlr *Handlers) handleInvite(
+	writer http.ResponseWriter,
+	request *http.Request,
+	sessionID, clientID int64,
+	nick string,
+	bodyLines func() []string,
+) {
+	lines := bodyLines()
+	if len(lines) < 2 { //nolint:mnd // nick + channel
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrNeedMoreParams, nick,
+			[]string{irc.CmdInvite},
+			"Not enough parameters",
+		)
+
+		return
+	}
+
+	targetNick := lines[0]
+	channel := lines[1]
+
+	if !strings.HasPrefix(channel, "#") {
+		channel = "#" + channel
+	}
+
+	chID, targetSID, ok := hdlr.validateInvite(
+		writer, request,
+		sessionID, clientID, nick,
+		targetNick, channel,
+	)
+	if !ok {
+		return
+	}
+
+	hdlr.executeInvite(
+		writer, request,
+		sessionID, clientID, nick,
+		targetNick, channel, chID, targetSID,
+	)
+}
+
+// validateInvite checks channel, membership, permissions,
+// and target for an INVITE command.
+func (hdlr *Handlers) validateInvite(
+	writer http.ResponseWriter,
+	request *http.Request,
+	sessionID, clientID int64,
+	nick, targetNick, channel string,
+) (int64, int64, bool) {
+	ctx := request.Context()
+
+	chID, err := hdlr.params.Database.GetChannelByName(
+		ctx, channel,
+	)
+	if err != nil {
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrNoSuchChannel, nick,
+			[]string{channel}, "No such channel",
+		)
+
+		return 0, 0, false
+	}
+
+	isMember, memErr := hdlr.params.Database.IsChannelMember(
+		ctx, chID, sessionID,
+	)
+	if memErr != nil || !isMember {
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrNotOnChannel, nick,
+			[]string{channel},
+			"You're not on that channel",
+		)
+
+		return 0, 0, false
+	}
+
+	isInviteOnly, ioErr := hdlr.params.Database.
+		IsChannelInviteOnly(ctx, chID)
+	if ioErr == nil && isInviteOnly {
+		if !hdlr.requireChannelOp(
+			writer, request,
+			sessionID, clientID, nick, channel, chID,
+		) {
+			return 0, 0, false
+		}
+	}
+
+	targetSID, nickErr := hdlr.params.Database.
+		GetSessionByNick(ctx, targetNick)
+	if nickErr != nil {
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrNoSuchNick, nick,
+			[]string{targetNick},
+			"No such nick/channel",
+		)
+
+		return 0, 0, false
+	}
+
+	alreadyIn, aiErr := hdlr.params.Database.
+		IsChannelMember(ctx, chID, targetSID)
+	if aiErr == nil && alreadyIn {
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrUserOnChannel, nick,
+			[]string{targetNick, channel},
+			"is already on channel",
+		)
+
+		return 0, 0, false
+	}
+
+	return chID, targetSID, true
+}
+
+// executeInvite records the invite and sends
+// notifications.
+func (hdlr *Handlers) executeInvite(
+	writer http.ResponseWriter,
+	request *http.Request,
+	sessionID, clientID int64,
+	nick, targetNick, channel string,
+	chID, targetSID int64,
+) {
+	ctx := request.Context()
+
+	invErr := hdlr.params.Database.AddChannelInvite(
+		ctx, chID, targetSID, nick,
+	)
+	if invErr != nil {
+		hdlr.log.Error(
+			"add invite failed", "error", invErr,
+		)
+		hdlr.respondError(
+			writer, request,
+			"internal error",
+			http.StatusInternalServerError,
+		)
+
+		return
+	}
+
+	hdlr.enqueueNumeric(
+		ctx, clientID, irc.RplInviting, nick,
+		[]string{targetNick, channel}, "",
+	)
+	hdlr.broker.Notify(sessionID)
+
+	invBody, mErr := json.Marshal([]string{channel})
+	if mErr == nil {
+		_ = hdlr.fanOutSilent(
+			request, irc.CmdInvite, nick, targetNick,
+			json.RawMessage(invBody),
+			[]int64{targetSID},
+		)
+	}
+
+	hdlr.respondJSON(writer, request,
+		map[string]string{"status": "ok"},
+		http.StatusOK)
+}
+
 // handleNames sends NAMES reply for a channel.
 func (hdlr *Handlers) handleNames(
 	writer http.ResponseWriter,
@@ -2473,8 +3133,10 @@ func (hdlr *Handlers) handleList(
 ) {
 	ctx := request.Context()
 
+	// Use filtered list that hides +s channels
+	// from non-members.
 	channels, err := hdlr.params.Database.
-		ListAllChannelsWithCounts(ctx)
+		ListAllChannelsWithCountsFiltered(ctx, sessionID)
 	if err != nil {
 		hdlr.log.Error(
 			"list channels failed", "error", err,
@@ -2582,7 +3244,8 @@ func (hdlr *Handlers) executeWhois(
 	)
 
 	hdlr.deliverWhoisChannels(
-		ctx, clientID, nick, queryNick, targetSID,
+		ctx, clientID, nick, queryNick,
+		sessionID, targetSID,
 	)
 
 	// 338 RPL_WHOISACTUALLY — oper-only.
@@ -2691,10 +3354,14 @@ func (hdlr *Handlers) deliverWhoisChannels(
 	ctx context.Context,
 	clientID int64,
 	nick, queryNick string,
-	targetSID int64,
+	querierSID, targetSID int64,
 ) {
+	// Use filtered query that hides +s channels from
+	// non-members.
 	channels, chanErr := hdlr.params.Database.
-		GetSessionChannels(ctx, targetSID)
+		GetSessionChannelsFiltered(
+			ctx, targetSID, querierSID,
+		)
 	if chanErr != nil || len(channels) == 0 {
 		return
 	}
@@ -3295,3 +3962,76 @@ func (hdlr *Handlers) deliverWhoisIdle(
 		"seconds idle, signon time",
 	)
 }
+
+// fanOut inserts a message and enqueues it to all given
+// sessions.
+func (hdlr *Handlers) fanOut(
+	request *http.Request,
+	command, from, target string,
+	body json.RawMessage,
+	meta json.RawMessage,
+	sessionIDs []int64,
+) (string, error) {
+	dbID, msgUUID, err := hdlr.params.Database.InsertMessage(
+		request.Context(), command, from, target,
+		nil, body, meta,
+	)
+	if err != nil {
+		return "", fmt.Errorf("insert message: %w", err)
+	}
+
+	for _, sid := range sessionIDs {
+		enqErr := hdlr.params.Database.EnqueueToSession(
+			request.Context(), sid, dbID,
+		)
+		if enqErr != nil {
+			hdlr.log.Error("enqueue failed",
+				"error", enqErr, "session_id", sid)
+		}
+
+		hdlr.broker.Notify(sid)
+	}
+
+	return msgUUID, nil
+}
+
+// fanOutSilent calls fanOut and discards the UUID.
+func (hdlr *Handlers) fanOutSilent(
+	request *http.Request,
+	command, from, target string,
+	body json.RawMessage,
+	sessionIDs []int64,
+) error {
+	_, err := hdlr.fanOut(
+		request, command, from, target,
+		body, nil, sessionIDs,
+	)
+
+	return err
+}
+
+// requireChannelOp checks if the session is a channel
+// operator and sends ERR_CHANOPRIVSNEEDED if not.
+func (hdlr *Handlers) requireChannelOp(
+	writer http.ResponseWriter,
+	request *http.Request,
+	sessionID, clientID int64,
+	nick, channel string,
+	chID int64,
+) bool {
+	isOp, err := hdlr.params.Database.IsChannelOperator(
+		request.Context(), chID, sessionID,
+	)
+	if err != nil || !isOp {
+		hdlr.respondIRCError(
+			writer, request, clientID, sessionID,
+			irc.ErrChanOpPrivsNeeded, nick,
+			[]string{channel},
+			"You're not channel operator",
+		)
+
+		return false
+	}
+
+	return true
+}

internal/handlers/api_test.go

@@ -4390,3 +4390,486 @@ func TestKickDefaultReason(t *testing.T) {
 		)
 	}
 }
+
+// --- Tier 2 Handler Tests ---
+
+const (
+	inviteCmd    = "INVITE"
+	joinedStatus = "joined"
+)
+
+// TestBanAddRemoveList verifies +b add, list, and -b
+// remove via MODE commands.
+func TestBanAddRemoveList(t *testing.T) {
+	tserver := newTestServer(t)
+	opToken := tserver.createSession("banop")
+
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: joinCmd, toKey: "#bans",
+	})
+
+	// Add a ban.
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: modeCmd,
+		toKey:      "#bans",
+		bodyKey:    []string{"+b", "*!*@evil.com"},
+	})
+
+	_, lastID := tserver.pollMessages(opToken, 0)
+
+	// List bans (+b with no argument).
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: modeCmd,
+		toKey:      "#bans",
+		bodyKey:    []string{"+b"},
+	})
+
+	msgs, _ := tserver.pollMessages(opToken, lastID)
+
+	// Should have RPL_BANLIST (367).
+	banMsg := findNumericWithParams(msgs, "367")
+	if banMsg == nil {
+		t.Fatalf("expected 367 RPL_BANLIST, got %v", msgs)
+	}
+
+	// Should have RPL_ENDOFBANLIST (368).
+	if !findNumeric(msgs, "368") {
+		t.Fatal("expected 368 RPL_ENDOFBANLIST")
+	}
+
+	// Remove the ban.
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: modeCmd,
+		toKey:      "#bans",
+		bodyKey:    []string{"-b", "*!*@evil.com"},
+	})
+
+	_, lastID = tserver.pollMessages(opToken, lastID)
+
+	// List again — should be empty (just end-of-list).
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: modeCmd,
+		toKey:      "#bans",
+		bodyKey:    []string{"+b"},
+	})
+
+	msgs, _ = tserver.pollMessages(opToken, lastID)
+	banMsg = findNumericWithParams(msgs, "367")
+	if banMsg != nil {
+		t.Fatal("expected no 367 after ban removal")
+	}
+
+	if !findNumeric(msgs, "368") {
+		t.Fatal("expected 368 RPL_ENDOFBANLIST")
+	}
+}
+
+// TestBanBlocksJoin verifies that a banned user cannot
+// join a channel.
+func TestBanBlocksJoin(t *testing.T) {
+	tserver := newTestServer(t)
+	opToken := tserver.createSession("banop2")
+	userToken := tserver.createSession("banned2")
+
+	// Op creates channel and sets a ban.
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: joinCmd, toKey: "#banjoin",
+	})
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: modeCmd,
+		toKey:      "#banjoin",
+		bodyKey:    []string{"+b", "banned2!*@*"},
+	})
+
+	// Banned user tries to join.
+	_, lastID := tserver.pollMessages(userToken, 0)
+	tserver.sendCommand(userToken, map[string]any{
+		commandKey: joinCmd, toKey: "#banjoin",
+	})
+
+	msgs, _ := tserver.pollMessages(userToken, lastID)
+
+	// Should get ERR_BANNEDFROMCHAN (474).
+	if !findNumeric(msgs, "474") {
+		t.Fatalf("expected 474 ERR_BANNEDFROMCHAN, got %v", msgs)
+	}
+}
+
+// TestBanBlocksPrivmsg verifies that a banned user who
+// is already in a channel cannot send messages.
+func TestBanBlocksPrivmsg(t *testing.T) {
+	tserver := newTestServer(t)
+	opToken := tserver.createSession("banmsgop")
+	userToken := tserver.createSession("banmsgusr")
+
+	// Both join.
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: joinCmd, toKey: "#banmsg",
+	})
+	tserver.sendCommand(userToken, map[string]any{
+		commandKey: joinCmd, toKey: "#banmsg",
+	})
+
+	// Op bans the user.
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: modeCmd,
+		toKey:      "#banmsg",
+		bodyKey:    []string{"+b", "banmsgusr!*@*"},
+	})
+
+	// User tries to send a message.
+	_, lastID := tserver.pollMessages(userToken, 0)
+	tserver.sendCommand(userToken, map[string]any{
+		commandKey: privmsgCmd,
+		toKey:      "#banmsg",
+		bodyKey:    []string{"hello"},
+	})
+
+	msgs, _ := tserver.pollMessages(userToken, lastID)
+
+	// Should get ERR_CANNOTSENDTOCHAN (404).
+	if !findNumeric(msgs, "404") {
+		t.Fatalf("expected 404 ERR_CANNOTSENDTOCHAN, got %v", msgs)
+	}
+}
+
+// TestInviteOnlyJoin verifies +i behavior: join rejected
+// without invite, accepted with invite.
+func TestInviteOnlyJoin(t *testing.T) {
+	tserver := newTestServer(t)
+	opToken := tserver.createSession("invop")
+	userToken := tserver.createSession("invusr")
+
+	// Op creates channel and sets +i.
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: joinCmd, toKey: "#invonly",
+	})
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: modeCmd,
+		toKey:      "#invonly",
+		bodyKey:    []string{"+i"},
+	})
+
+	// User tries to join without invite.
+	_, lastID := tserver.pollMessages(userToken, 0)
+	tserver.sendCommand(userToken, map[string]any{
+		commandKey: joinCmd, toKey: "#invonly",
+	})
+
+	msgs, _ := tserver.pollMessages(userToken, lastID)
+
+	if !findNumeric(msgs, "473") {
+		t.Fatalf(
+			"expected 473 ERR_INVITEONLYCHAN, got %v",
+			msgs,
+		)
+	}
+
+	// Op invites user.
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: inviteCmd,
+		bodyKey:    []string{"invusr", "#invonly"},
+	})
+
+	// User tries again — should succeed with invite.
+	_, result := tserver.sendCommand(userToken, map[string]any{
+		commandKey: joinCmd, toKey: "#invonly",
+	})
+
+	if result[statusKey] != joinedStatus {
+		t.Fatalf(
+			"expected join to succeed with invite, got %v",
+			result,
+		)
+	}
+}
+
+// TestSecretChannelHiddenFromList verifies +s hides a
+// channel from LIST for non-members.
+func TestSecretChannelHiddenFromList(t *testing.T) {
+	tserver := newTestServer(t)
+	opToken := tserver.createSession("secop")
+	outsiderToken := tserver.createSession("secout")
+
+	// Op creates secret channel.
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: joinCmd, toKey: "#secret",
+	})
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: modeCmd,
+		toKey:      "#secret",
+		bodyKey:    []string{"+s"},
+	})
+
+	// Outsider does LIST.
+	_, lastID := tserver.pollMessages(outsiderToken, 0)
+	tserver.sendCommand(outsiderToken, map[string]any{
+		commandKey: "LIST",
+	})
+
+	msgs, _ := tserver.pollMessages(outsiderToken, lastID)
+
+	// Should NOT see #secret in any 322 (RPL_LIST).
+	for _, msg := range msgs {
+		code, ok := msg["code"].(float64)
+		if !ok || int(code) != 322 {
+			continue
+		}
+
+		params := getNumericParams(msg)
+		for _, p := range params {
+			if p == "#secret" {
+				t.Fatal("outsider should not see #secret in LIST")
+			}
+		}
+	}
+
+	// Member does LIST — should see it.
+	_, lastID = tserver.pollMessages(opToken, 0)
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: "LIST",
+	})
+
+	msgs, _ = tserver.pollMessages(opToken, lastID)
+
+	found := false
+
+	for _, msg := range msgs {
+		code, ok := msg["code"].(float64)
+		if !ok || int(code) != 322 {
+			continue
+		}
+
+		params := getNumericParams(msg)
+		for _, p := range params {
+			if p == "#secret" {
+				found = true
+			}
+		}
+	}
+
+	if !found {
+		t.Fatal("member should see #secret in LIST")
+	}
+}
+
+// TestChannelKeyJoin verifies +k behavior: wrong/missing
+// key is rejected, correct key allows join.
+func TestChannelKeyJoin(t *testing.T) {
+	tserver := newTestServer(t)
+	opToken := tserver.createSession("keyop")
+	userToken := tserver.createSession("keyusr")
+
+	// Op creates keyed channel.
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: joinCmd, toKey: "#keyed",
+	})
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: modeCmd,
+		toKey:      "#keyed",
+		bodyKey:    []string{"+k", "mykey"},
+	})
+
+	// User tries without key.
+	_, lastID := tserver.pollMessages(userToken, 0)
+	tserver.sendCommand(userToken, map[string]any{
+		commandKey: joinCmd, toKey: "#keyed",
+	})
+
+	msgs, _ := tserver.pollMessages(userToken, lastID)
+
+	if !findNumeric(msgs, "475") {
+		t.Fatalf(
+			"expected 475 ERR_BADCHANNELKEY, got %v",
+			msgs,
+		)
+	}
+
+	// User tries with wrong key.
+	tserver.sendCommand(userToken, map[string]any{
+		commandKey: joinCmd,
+		toKey:      "#keyed",
+		bodyKey:    []string{"wrongkey"},
+	})
+
+	msgs, _ = tserver.pollMessages(userToken, lastID)
+	if !findNumeric(msgs, "475") {
+		t.Fatalf(
+			"expected 475 ERR_BADCHANNELKEY for wrong key, got %v",
+			msgs,
+		)
+	}
+
+	// User tries with correct key.
+	_, result := tserver.sendCommand(userToken, map[string]any{
+		commandKey: joinCmd,
+		toKey:      "#keyed",
+		bodyKey:    []string{"mykey"},
+	})
+
+	if result[statusKey] != joinedStatus {
+		t.Fatalf(
+			"expected join to succeed with correct key, got %v",
+			result,
+		)
+	}
+}
+
+// TestUserLimitEnforcement verifies +l behavior: blocks
+// join when at capacity.
+func TestUserLimitEnforcement(t *testing.T) {
+	tserver := newTestServer(t)
+	opToken := tserver.createSession("limop")
+	user1Token := tserver.createSession("limusr1")
+	user2Token := tserver.createSession("limusr2")
+
+	// Op creates channel with limit 2.
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: joinCmd, toKey: "#limited",
+	})
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: modeCmd,
+		toKey:      "#limited",
+		bodyKey:    []string{"+l", "2"},
+	})
+
+	// User1 joins — should succeed (2 members now: op + user1).
+	_, result := tserver.sendCommand(user1Token, map[string]any{
+		commandKey: joinCmd, toKey: "#limited",
+	})
+	if result[statusKey] != joinedStatus {
+		t.Fatalf("user1 should join, got %v", result)
+	}
+
+	// User2 tries to join — should fail (at limit: 2/2).
+	_, lastID := tserver.pollMessages(user2Token, 0)
+	tserver.sendCommand(user2Token, map[string]any{
+		commandKey: joinCmd, toKey: "#limited",
+	})
+
+	msgs, _ := tserver.pollMessages(user2Token, lastID)
+
+	if !findNumeric(msgs, "471") {
+		t.Fatalf(
+			"expected 471 ERR_CHANNELISFULL, got %v",
+			msgs,
+		)
+	}
+}
+
+// TestModeStringIncludesNewModes verifies that querying
+// channel mode returns the new modes (+i, +s, +k, +l).
+func TestModeStringIncludesNewModes(t *testing.T) {
+	tserver := newTestServer(t)
+	opToken := tserver.createSession("modestrop")
+
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: joinCmd, toKey: "#modestr",
+	})
+
+	// Set all tier 2 modes.
+	for _, modeChange := range [][]string{
+		{"+i"}, {"+s"}, {"+k", "pw"}, {"+l", "50"},
+	} {
+		tserver.sendCommand(opToken, map[string]any{
+			commandKey: modeCmd,
+			toKey:      "#modestr",
+			bodyKey:    modeChange,
+		})
+	}
+
+	_, lastID := tserver.pollMessages(opToken, 0)
+
+	// Query mode.
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: modeCmd, toKey: "#modestr",
+	})
+
+	msgs, _ := tserver.pollMessages(opToken, lastID)
+	modeMsg := findNumericWithParams(msgs, "324")
+
+	if modeMsg == nil {
+		t.Fatal("expected 324 RPL_CHANNELMODEIS")
+	}
+
+	params := getNumericParams(modeMsg)
+	if len(params) < 2 {
+		t.Fatalf("too few params in 324: %v", params)
+	}
+
+	modeString := params[1]
+
+	for _, c := range []string{"i", "s", "k", "l"} {
+		if !strings.Contains(modeString, c) {
+			t.Fatalf(
+				"mode string %q missing %q",
+				modeString, c,
+			)
+		}
+	}
+}
+
+// TestISUPPORT verifies the 005 numeric includes the
+// updated CHANMODES string.
+func TestISUPPORT(t *testing.T) {
+	tserver := newTestServer(t)
+	token := tserver.createSession("isupport")
+
+	msgs, _ := tserver.pollMessages(token, 0)
+
+	isupp := findNumericWithParams(msgs, "005")
+	if isupp == nil {
+		t.Fatal("expected 005 RPL_ISUPPORT")
+	}
+
+	body, _ := isupp["body"].(string)
+	params := getNumericParams(isupp)
+
+	combined := body + " " + strings.Join(params, " ")
+
+	if !strings.Contains(combined, "CHANMODES=b,k,Hl,imnst") {
+		t.Fatalf(
+			"ISUPPORT missing updated CHANMODES, got body=%q params=%v",
+			body, params,
+		)
+	}
+}
+
+// TestNonOpCannotSetModes verifies non-operators
+// cannot set +i, +s, +k, +l, +b.
+func TestNonOpCannotSetModes(t *testing.T) {
+	tserver := newTestServer(t)
+	opToken := tserver.createSession("modeopx")
+	userToken := tserver.createSession("modeusrx")
+
+	tserver.sendCommand(opToken, map[string]any{
+		commandKey: joinCmd, toKey: "#noperm",
+	})
+	tserver.sendCommand(userToken, map[string]any{
+		commandKey: joinCmd, toKey: "#noperm",
+	})
+
+	modes := [][]string{
+		{"+i"}, {"+s"}, {"+k", "key"}, {"+l", "10"},
+		{"+b", "bad!*@*"},
+	}
+
+	for _, modeChange := range modes {
+		_, lastID := tserver.pollMessages(userToken, 0)
+		tserver.sendCommand(userToken, map[string]any{
+			commandKey: modeCmd,
+			toKey:      "#noperm",
+			bodyKey:    modeChange,
+		})
+
+		msgs, _ := tserver.pollMessages(userToken, lastID)
+
+		// Should get 482 ERR_CHANOPRIVSNEEDED.
+		if !findNumeric(msgs, "482") {
+			t.Fatalf(
+				"expected 482 for %v, got %v",
+				modeChange, msgs,
+			)
+		}
+	}
+}

internal/ircserver/commands.go

@@ -179,7 +179,7 @@ func (c *Conn) joinChannel(
 	channel string,
 ) {
 	result, err := c.svc.JoinChannel(
-		ctx, c.sessionID, c.nick, channel,
+		ctx, c.sessionID, c.nick, channel, "",
 	)
 	if err != nil {
 		c.sendIRCError(err)
@@ -490,6 +490,124 @@ func (c *Conn) handleChannelMode(
 	)
 }
 
+// modeResult holds the delta strings produced by a
+// single mode-char application.
+type modeResult struct {
+	applied     string
+	appliedArgs string
+	consumed    int
+	skip        bool
+}
+
+// applyHashcashMode handles +H/-H (hashcash difficulty).
+func (c *Conn) applyHashcashMode(
+	ctx context.Context,
+	chID int64,
+	adding bool,
+	args []string,
+	argIdx int,
+) modeResult {
+	if !adding {
+		_ = c.database.SetChannelHashcashBits(
+			ctx, chID, 0,
+		)
+
+		return modeResult{
+			applied:     "-H",
+			appliedArgs: "",
+			consumed:    0,
+			skip:        false,
+		}
+	}
+
+	if argIdx >= len(args) {
+		return modeResult{
+			applied:     "",
+			appliedArgs: "",
+			consumed:    0,
+			skip:        true,
+		}
+	}
+
+	bitsStr := args[argIdx]
+
+	bits, parseErr := strconv.Atoi(bitsStr)
+	if parseErr != nil ||
+		bits < 1 || bits > maxHashcashBits {
+		c.sendNumeric(
+			irc.ErrUnknownMode, "H",
+			"is unknown mode char to me",
+		)
+
+		return modeResult{
+			applied:     "",
+			appliedArgs: "",
+			consumed:    1,
+			skip:        true,
+		}
+	}
+
+	_ = c.database.SetChannelHashcashBits(
+		ctx, chID, bits,
+	)
+
+	return modeResult{
+		applied:     "+H",
+		appliedArgs: " " + bitsStr,
+		consumed:    1,
+		skip:        false,
+	}
+}
+
+// applyMemberMode handles +o/-o and +v/-v.
+func (c *Conn) applyMemberMode(
+	ctx context.Context,
+	chID int64,
+	channel string,
+	modeChar rune,
+	adding bool,
+	args []string,
+	argIdx int,
+) modeResult {
+	if argIdx >= len(args) {
+		return modeResult{
+			applied:     "",
+			appliedArgs: "",
+			consumed:    0,
+			skip:        true,
+		}
+	}
+
+	targetNick := args[argIdx]
+
+	err := c.svc.ApplyMemberMode(
+		ctx, chID, channel,
+		targetNick, modeChar, adding,
+	)
+	if err != nil {
+		c.sendIRCError(err)
+
+		return modeResult{
+			applied:     "",
+			appliedArgs: "",
+			consumed:    1,
+			skip:        true,
+		}
+	}
+
+	prefix := "+"
+	if !adding {
+		prefix = "-"
+	}
+
+	return modeResult{
+		applied:     prefix + string(modeChar),
+		appliedArgs: " " + targetNick,
+		consumed:    1,
+		skip:        false,
+	}
+}
+
 // applyChannelModes applies mode changes using the
 // service for individual mode operations.
 func (c *Conn) applyChannelModes(
@@ -505,52 +623,57 @@ func (c *Conn) applyChannelModes(
 	appliedArgs := ""
 
 	for _, modeChar := range modeStr {
+		var res modeResult
+
 		switch modeChar {
 		case '+':
 			adding = true
+
+			continue
 		case '-':
 			adding = false
-		case 'm', 't':
+
+			continue
+		case 'i', 'm', 'n', 's', 't':
 			_ = c.svc.SetChannelFlag(
 				ctx, chID, modeChar, adding,
 			)
 
-			if adding {
-				applied += "+" + string(modeChar)
-			} else {
-				applied += "-" + string(modeChar)
-			}
-		case 'o', 'v':
-			if argIdx >= len(args) {
-				break
+			prefix := "+"
+			if !adding {
+				prefix = "-"
 			}
 
-			targetNick := args[argIdx]
-			argIdx++
-
-			err := c.svc.ApplyMemberMode(
-				ctx, chID, channel,
-				targetNick, modeChar, adding,
+			res = modeResult{
+				applied:     prefix + string(modeChar),
+				appliedArgs: "",
+				consumed:    0,
+				skip:        false,
+			}
+		case 'H':
+			res = c.applyHashcashMode(
+				ctx, chID, adding, args, argIdx,
+			)
+		case 'o', 'v':
+			res = c.applyMemberMode(
+				ctx, chID, channel,
+				modeChar, adding, args, argIdx,
 			)
-			if err != nil {
-				c.sendIRCError(err)
-
-				continue
-			}
-
-			if adding {
-				applied += "+" + string(modeChar)
-			} else {
-				applied += "-" + string(modeChar)
-			}
-
-			appliedArgs += " " + targetNick
 		default:
 			c.sendNumeric(
 				irc.ErrUnknownMode,
 				string(modeChar),
 				"is unknown mode char to me",
 			)
+
+			continue
+		}
+
+		argIdx += res.consumed
+
+		if !res.skip {
+			applied += res.applied
+			appliedArgs += res.appliedArgs
 		}
 	}
 

internal/ircserver/conn.go

@@ -28,6 +28,7 @@ const (
 	pongDeadline    = 30 * time.Second
 	maxNickLen      = 32
 	minPasswordLen  = 8
+	maxHashcashBits = 40
 )
 
 // cmdHandler is the signature for registered IRC command
@@ -434,7 +435,7 @@ func (c *Conn) deliverWelcome() {
 		"CHANTYPES=#",
 		"NICKLEN=32",
 		"PREFIX=(ov)@+",
-		"CHANMODES=,,H,mnst",
+		"CHANMODES=,,H,imnst",
 		"NETWORK="+c.serverSfx,
 		"are supported by this server",
 	)

internal/ircserver/export_test.go

@@ -19,12 +19,9 @@ func NewTestServer(
 	database *db.Database,
 	brk *broker.Broker,
 ) *Server {
-	svc := &service.Service{
-		DB:     database,
-		Broker: brk,
-		Config: cfg,
-		Log:    log,
-	}
+	svc := service.NewTestService(
+		database, brk, cfg, log,
+	)
 
 	return &Server{ //nolint:exhaustruct
 		log:      log,

internal/ircserver/integration_test.go

@@ -0,0 +1,913 @@
+package ircserver_test
+
+import (
+	"strings"
+	"testing"
+	"time"
+)
+
+// TestIntegrationTwoClients is a comprehensive integration
+// test that spawns the IRC server programmatically, connects
+// two real TCP clients, and verifies all major IRC features
+// including cross-client message delivery.
+//
+// The test runs sequentially through IRC features because
+// both clients share the same channel state.  Each section
+// builds on the previous one (e.g. alice and bob must be
+// JOINed before PRIVMSG can be tested).
+//
+//nolint:cyclop,funlen,maintidx // integration test
+func TestIntegrationTwoClients(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+
+	alice := env.dial(t)
+	bob := env.dial(t)
+
+	// ── Registration ──────────────────────────────────
+
+	aliceWelcome := alice.register("alice")
+	assertContains(
+		t, aliceWelcome, " 001 ", "RPL_WELCOME alice",
+	)
+	assertContains(
+		t, aliceWelcome, " 002 ", "RPL_YOURHOST alice",
+	)
+	assertContains(
+		t, aliceWelcome, " 003 ", "RPL_CREATED alice",
+	)
+	assertContains(
+		t, aliceWelcome, " 004 ", "RPL_MYINFO alice",
+	)
+	assertContains(
+		t, aliceWelcome, "alice",
+		"nick in welcome burst",
+	)
+
+	bobWelcome := bob.register("bob")
+	assertContains(
+		t, bobWelcome, " 001 ", "RPL_WELCOME bob",
+	)
+	assertContains(
+		t, bobWelcome, "bob",
+		"nick in welcome burst",
+	)
+
+	// ── JOIN and cross-client visibility ──────────────
+
+	alice.send("JOIN #integration")
+	aliceJoinLines := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, " 366 ")
+	})
+	assertContains(
+		t, aliceJoinLines, "JOIN",
+		"alice receives JOIN echo",
+	)
+	assertContains(
+		t, aliceJoinLines, " 366 ",
+		"RPL_ENDOFNAMES for alice",
+	)
+
+	bob.send("JOIN #integration")
+	bobJoinLines := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, " 366 ")
+	})
+	assertContains(
+		t, bobJoinLines, "JOIN",
+		"bob receives JOIN echo",
+	)
+
+	// Alice should see bob's JOIN via relay.
+	aliceSeesBob := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "JOIN") &&
+			strings.Contains(l, "bob")
+	})
+	assertContains(
+		t, aliceSeesBob, "bob",
+		"alice sees bob's JOIN",
+	)
+
+	// ── PRIVMSG (channel) — alice to bob ──────────────
+
+	alice.send("PRIVMSG #integration :hello from alice")
+
+	bobGetsMsg := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, "hello from alice")
+	})
+	assertContains(
+		t, bobGetsMsg, "hello from alice",
+		"bob receives alice's channel message",
+	)
+
+	// ── PRIVMSG (channel) — bob to alice ──────────────
+
+	bob.send("PRIVMSG #integration :hello from bob")
+
+	aliceGetsMsg := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "hello from bob")
+	})
+	assertContains(
+		t, aliceGetsMsg, "hello from bob",
+		"alice receives bob's channel message",
+	)
+
+	// ── PRIVMSG (DM) — alice to bob ──────────────────
+
+	alice.send("PRIVMSG bob :secret message")
+
+	bobDM := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, "secret message")
+	})
+	assertContains(
+		t, bobDM, "secret message",
+		"bob receives alice's DM",
+	)
+	assertContains(
+		t, bobDM, "alice",
+		"DM from field is alice",
+	)
+
+	// ── PRIVMSG (DM) — bob to alice ──────────────────
+
+	bob.send("PRIVMSG alice :reply to you")
+
+	aliceDM := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "reply to you")
+	})
+	assertContains(
+		t, aliceDM, "reply to you",
+		"alice receives bob's DM",
+	)
+
+	// ── NOTICE (channel) ──────────────────────────────
+
+	alice.send("NOTICE #integration :notice msg")
+
+	bobNotice := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, "notice msg")
+	})
+	assertContains(
+		t, bobNotice, "NOTICE",
+		"bob receives NOTICE command",
+	)
+	assertContains(
+		t, bobNotice, "notice msg",
+		"bob receives NOTICE text",
+	)
+
+	// ── NOTICE (DM) ──────────────────────────────────
+
+	bob.send("NOTICE alice :dm notice")
+
+	aliceNotice := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "dm notice")
+	})
+	assertContains(
+		t, aliceNotice, "dm notice",
+		"alice receives DM NOTICE",
+	)
+
+	// ── TOPIC ─────────────────────────────────────────
+	// alice is the channel creator so she is +o.
+
+	alice.send("TOPIC #integration :Integration Test Topic")
+
+	aliceTopic := alice.readUntil(func(l string) bool {
+		return strings.Contains(
+			l, "Integration Test Topic",
+		)
+	})
+	assertContains(
+		t, aliceTopic, "Integration Test Topic",
+		"alice sees TOPIC echo",
+	)
+
+	bobTopic := bob.readUntil(func(l string) bool {
+		return strings.Contains(
+			l, "Integration Test Topic",
+		)
+	})
+	assertContains(
+		t, bobTopic, "Integration Test Topic",
+		"bob receives TOPIC change",
+	)
+
+	// ── MODE (query) ──────────────────────────────────
+
+	alice.send("MODE #integration")
+
+	aliceMode := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, " 324 ")
+	})
+	assertContains(
+		t, aliceMode, " 324 ",
+		"RPL_CHANNELMODEIS",
+	)
+
+	// ── MODE (+m moderated, then -m) ──────────────────
+
+	alice.send("MODE #integration +m")
+
+	aliceModeM := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "MODE") &&
+			strings.Contains(l, "+m")
+	})
+	assertContains(
+		t, aliceModeM, "+m",
+		"alice sees MODE +m echo",
+	)
+
+	bobModeM := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, "+m")
+	})
+	assertContains(
+		t, bobModeM, "+m",
+		"bob sees MODE +m relay",
+	)
+
+	// Revert moderated mode.
+	alice.send("MODE #integration -m")
+	alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "-m")
+	})
+	bob.readUntil(func(l string) bool {
+		return strings.Contains(l, "-m")
+	})
+
+	// ── MODE (+v voice, then -v) ──────────────────────
+
+	alice.send("MODE #integration +v bob")
+
+	aliceVoice := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "+v")
+	})
+	assertContains(
+		t, aliceVoice, "+v",
+		"alice sees +v echo",
+	)
+
+	bobVoice := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, "+v")
+	})
+	assertContains(
+		t, bobVoice, "+v",
+		"bob receives +v relay",
+	)
+
+	// Remove voice.
+	alice.send("MODE #integration -v bob")
+	alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "-v")
+	})
+	bob.readUntil(func(l string) bool {
+		return strings.Contains(l, "-v")
+	})
+
+	// ── NAMES ─────────────────────────────────────────
+
+	alice.send("NAMES #integration")
+
+	aliceNames := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, " 366 ")
+	})
+	assertContains(
+		t, aliceNames, " 353 ",
+		"RPL_NAMREPLY",
+	)
+	assertContains(
+		t, aliceNames, " 366 ",
+		"RPL_ENDOFNAMES",
+	)
+
+	// Both nicks should appear in the name list.
+	foundBothNames := false
+	for _, line := range aliceNames {
+		if strings.Contains(line, " 353 ") &&
+			strings.Contains(line, "alice") &&
+			strings.Contains(line, "bob") {
+			foundBothNames = true
+
+			break
+		}
+	}
+
+	if !foundBothNames {
+		t.Error("NAMES reply should list both alice and bob")
+	}
+
+	// ── LIST ──────────────────────────────────────────
+
+	alice.send("LIST")
+
+	aliceList := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, " 323 ")
+	})
+	assertContains(
+		t, aliceList, " 322 ",
+		"RPL_LIST entry",
+	)
+	assertContains(
+		t, aliceList, "#integration",
+		"LIST includes #integration",
+	)
+	assertContains(
+		t, aliceList, " 323 ", //nolint:misspell // IRC RPL_LISTEND
+		"RPL_LISTEND", //nolint:misspell // IRC term
+	)
+
+	// ── WHO ───────────────────────────────────────────
+
+	bob.send("WHO #integration")
+
+	bobWho := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, " 315 ")
+	})
+	assertContains(
+		t, bobWho, " 352 ",
+		"RPL_WHOREPLY",
+	)
+	assertContains(
+		t, bobWho, " 315 ",
+		"RPL_ENDOFWHO",
+	)
+
+	// ── WHOIS ─────────────────────────────────────────
+
+	alice.send("WHOIS bob")
+
+	aliceWhois := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, " 318 ")
+	})
+	assertContains(
+		t, aliceWhois, " 311 ",
+		"RPL_WHOISUSER",
+	)
+	assertContains(
+		t, aliceWhois, " 312 ",
+		"RPL_WHOISSERVER",
+	)
+	assertContains(
+		t, aliceWhois, " 318 ",
+		"RPL_ENDOFWHOIS",
+	)
+
+	// ── WHOIS with channels ───────────────────────────
+
+	bob.send("WHOIS alice")
+
+	bobWhois := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, " 318 ")
+	})
+	assertContains(
+		t, bobWhois, " 319 ",
+		"RPL_WHOISCHANNELS",
+	)
+	assertContains(
+		t, bobWhois, "#integration",
+		"WHOIS shows #integration channel",
+	)
+
+	// ── LUSERS ────────────────────────────────────────
+
+	alice.send("LUSERS")
+
+	aliceLusers := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, " 255 ")
+	})
+	assertContains(
+		t, aliceLusers, " 251 ",
+		"RPL_LUSERCLIENT",
+	)
+	assertContains(
+		t, aliceLusers, " 255 ",
+		"RPL_LUSERME",
+	)
+
+	// ── NICK change ───────────────────────────────────
+
+	bob.send("NICK bobby")
+
+	bobNick := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, "NICK") &&
+			strings.Contains(l, "bobby")
+	})
+	assertContains(
+		t, bobNick, "bobby",
+		"bob sees NICK change to bobby",
+	)
+
+	// alice should see the nick change relayed.
+	aliceNick := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "bobby")
+	})
+	assertContains(
+		t, aliceNick, "NICK",
+		"alice sees NICK command",
+	)
+	assertContains(
+		t, aliceNick, "bobby",
+		"alice sees new nick bobby",
+	)
+
+	// Change it back for remaining tests.
+	bob.send("NICK bob")
+	bob.readUntil(func(l string) bool {
+		return strings.Contains(l, "bob")
+	})
+	alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "NICK") &&
+			strings.Contains(l, "bob")
+	})
+
+	// ── Duplicate NICK ────────────────────────────────
+
+	bob.send("NICK alice")
+
+	bobDupNick := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, " 433 ")
+	})
+	assertContains(
+		t, bobDupNick, " 433 ",
+		"ERR_NICKNAMEINUSE",
+	)
+
+	// ── KICK ──────────────────────────────────────────
+	// alice is op; she kicks bob.
+
+	alice.send("KICK #integration bob :testing kick")
+
+	aliceKick := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "KICK")
+	})
+	assertContains(
+		t, aliceKick, "KICK",
+		"alice sees KICK echo",
+	)
+	assertContains(
+		t, aliceKick, "bob",
+		"KICK mentions bob",
+	)
+
+	bobKick := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, "KICK")
+	})
+	assertContains(
+		t, bobKick, "KICK",
+		"bob receives KICK",
+	)
+	assertContains(
+		t, bobKick, "testing kick",
+		"KICK reason is relayed",
+	)
+
+	// bob rejoins.
+	bob.joinAndDrain("#integration")
+
+	// Drain alice's view of the rejoin.
+	alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "JOIN") &&
+			strings.Contains(l, "bob")
+	})
+
+	// ── KICK non-op should fail ───────────────────────
+
+	bob.send("KICK #integration alice :nope")
+
+	bobKickFail := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, " 482 ")
+	})
+	assertContains(
+		t, bobKickFail, " 482 ",
+		"ERR_CHANOPRIVSNEEDED",
+	)
+
+	// ── TOPIC lock (+t default) ───────────────────────
+	// +t is default, so bob should not be able to set
+	// topic.
+
+	bob.send("TOPIC #integration :bob tries topic")
+
+	bobTopicFail := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, " 482 ")
+	})
+	assertContains(
+		t, bobTopicFail, " 482 ",
+		"ERR_CHANOPRIVSNEEDED for topic",
+	)
+
+	// ── PING / PONG ───────────────────────────────────
+
+	alice.send("PING :testtoken")
+
+	alicePong := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "PONG")
+	})
+	assertContains(
+		t, alicePong, "PONG",
+		"PONG response received",
+	)
+
+	// ── Unknown command ───────────────────────────────
+
+	bob.send("FOOBAR")
+
+	bobUnknown := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, " 421 ")
+	})
+	assertContains(
+		t, bobUnknown, " 421 ",
+		"ERR_UNKNOWNCOMMAND",
+	)
+
+	// ── MOTD ──────────────────────────────────────────
+
+	alice.send("MOTD")
+
+	aliceMOTD := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, " 376 ")
+	})
+	assertContains(
+		t, aliceMOTD, " 376 ",
+		"RPL_ENDOFMOTD",
+	)
+
+	// ── AWAY (set, check via DM, clear) ───────────────
+
+	alice.send("AWAY :gone fishing")
+
+	aliceAway := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, " 306 ")
+	})
+	assertContains(
+		t, aliceAway, " 306 ",
+		"RPL_NOWAWAY",
+	)
+
+	// bob DMs alice — should get RPL_AWAY.
+	bob.send("PRIVMSG alice :are you there?")
+
+	bobAwayReply := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, " 301 ")
+	})
+	assertContains(
+		t, bobAwayReply, " 301 ",
+		"RPL_AWAY for bob when messaging alice",
+	)
+	assertContains(
+		t, bobAwayReply, "gone fishing",
+		"away message relayed",
+	)
+
+	// Clear away.
+	alice.send("AWAY")
+	alice.readUntil(func(l string) bool {
+		return strings.Contains(l, " 305 ")
+	})
+
+	// ── PASS (set password post-registration) ─────────
+
+	alice.send("PASS :mypassword123")
+
+	alicePass := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "Password set")
+	})
+	assertContains(
+		t, alicePass, "Password set",
+		"password set confirmation",
+	)
+
+	// ── MODE -t/+t topic lock toggle ──────────────────
+
+	alice.send("MODE #integration -t")
+	alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "-t")
+	})
+	bob.readUntil(func(l string) bool {
+		return strings.Contains(l, "-t")
+	})
+
+	// Now bob should be able to set topic.
+	bob.send("TOPIC #integration :bob sets topic now")
+
+	bobTopicOK := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, "bob sets topic now")
+	})
+	assertContains(
+		t, bobTopicOK, "bob sets topic now",
+		"bob can set topic after -t",
+	)
+
+	// alice sees the topic change.
+	aliceTopicRelay := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "bob sets topic now")
+	})
+	assertContains(
+		t, aliceTopicRelay, "bob sets topic now",
+		"alice sees bob's topic after -t",
+	)
+
+	// Restore +t.
+	alice.send("MODE #integration +t")
+	alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "+t")
+	})
+	bob.readUntil(func(l string) bool {
+		return strings.Contains(l, "+t")
+	})
+
+	// ── DM to nonexistent nick ────────────────────────
+
+	alice.send("PRIVMSG nobody123 :hello")
+
+	aliceNoSuch := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, " 401 ")
+	})
+	assertContains(
+		t, aliceNoSuch, " 401 ",
+		"ERR_NOSUCHNICK",
+	)
+
+	// ── PART with reason ──────────────────────────────
+
+	bob.send("PART #integration :bye for now")
+
+	bobPart := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, "PART")
+	})
+	assertContains(
+		t, bobPart, "PART",
+		"bob sees PART echo",
+	)
+
+	// alice sees bob PART via relay.
+	alicePart := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "PART") &&
+			strings.Contains(l, "bob")
+	})
+	assertContains(
+		t, alicePart, "bob",
+		"alice sees bob's PART",
+	)
+	assertContains(
+		t, alicePart, "bye for now",
+		"PART reason is relayed",
+	)
+
+	// bob rejoins for remaining tests.
+	bob.joinAndDrain("#integration")
+	alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "JOIN") &&
+			strings.Contains(l, "bob")
+	})
+
+	// ── PART non-existent channel ─────────────────────
+
+	bob.send("PART #nonexistent")
+
+	bobPartFail := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, " 403 ") ||
+			strings.Contains(l, " 442 ")
+	})
+
+	foundPartErr := false
+	for _, line := range bobPartFail {
+		if strings.Contains(line, " 403 ") ||
+			strings.Contains(line, " 442 ") {
+			foundPartErr = true
+
+			break
+		}
+	}
+
+	if !foundPartErr {
+		t.Error(
+			"expected ERR_NOSUCHCHANNEL or " +
+				"ERR_NOTONCHANNEL",
+		)
+	}
+
+	// ── User MODE query ───────────────────────────────
+
+	alice.send("MODE alice")
+
+	aliceUMode := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, " 221 ")
+	})
+	assertContains(
+		t, aliceUMode, " 221 ",
+		"RPL_UMODEIS",
+	)
+
+	// ── Multiple channel operation ────────────────────
+
+	alice.send("JOIN #second")
+	alice.readUntil(func(l string) bool {
+		return strings.Contains(l, " 366 ")
+	})
+
+	bob.send("JOIN #second")
+	bob.readUntil(func(l string) bool {
+		return strings.Contains(l, " 366 ")
+	})
+
+	// Drain alice seeing bob join.
+	alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "JOIN") &&
+			strings.Contains(l, "bob")
+	})
+
+	alice.send("PRIVMSG #second :cross-channel test")
+
+	bobCross := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, "cross-channel test")
+	})
+	assertContains(
+		t, bobCross, "cross-channel test",
+		"bob receives message in #second",
+	)
+
+	// Clean up #second.
+	alice.send("PART #second")
+	alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "PART")
+	})
+	bob.send("PART #second")
+	bob.readUntil(func(l string) bool {
+		return strings.Contains(l, "PART")
+	})
+
+	// ── QUIT ──────────────────────────────────────────
+
+	bob.send("QUIT :integration test done")
+
+	bobQuit := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, "ERROR")
+	})
+	assertContains(
+		t, bobQuit, "integration test done",
+		"QUIT reason echoed",
+	)
+
+	// alice should see bob's QUIT via relay.
+	aliceQuit := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "QUIT") &&
+			strings.Contains(l, "bob")
+	})
+	assertContains(
+		t, aliceQuit, "bob",
+		"alice sees bob's QUIT",
+	)
+}
+
+// TestIntegrationModeSecret tests +s (secret) channel
+// mode — verifies that +s can be set and the mode is
+// reflected in MODE queries.
+func TestIntegrationModeSecret(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+
+	alice := env.dial(t)
+	alice.register("alice")
+
+	alice.joinAndDrain("#secretroom")
+
+	// Set +s.
+	alice.send("MODE #secretroom +s")
+	aliceLines := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "+s")
+	})
+	assertContains(
+		t, aliceLines, "+s",
+		"alice sees MODE +s confirmation",
+	)
+
+	// Verify mode is reflected in query.
+	alice.send("MODE #secretroom")
+	modeLines := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, " 324 ")
+	})
+	assertContains(
+		t, modeLines, "s",
+		"channel mode includes s",
+	)
+}
+
+// TestIntegrationModeModerated tests +m (moderated) mode
+// — non-voiced users cannot send.
+func TestIntegrationModeModerated(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+
+	alice := env.dial(t)
+	alice.register("alice")
+
+	bob := env.dial(t)
+	bob.register("bob")
+
+	alice.joinAndDrain("#modtest")
+	bob.joinAndDrain("#modtest")
+
+	// Drain alice's view of bob's join.
+	alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "JOIN") &&
+			strings.Contains(l, "bob")
+	})
+
+	// Set +m.
+	alice.send("MODE #modtest +m")
+	alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "+m")
+	})
+	bob.readUntil(func(l string) bool {
+		return strings.Contains(l, "+m")
+	})
+
+	// bob should get an error trying to send.
+	bob.send("PRIVMSG #modtest :should fail")
+	bobLines := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, " 404 ") ||
+			strings.Contains(l, " 482 ")
+	})
+
+	foundModErr := false
+	for _, line := range bobLines {
+		if strings.Contains(line, " 404 ") ||
+			strings.Contains(line, " 482 ") {
+			foundModErr = true
+
+			break
+		}
+	}
+
+	if !foundModErr {
+		t.Error(
+			"non-voiced user should not be able to send " +
+				"in +m channel",
+		)
+	}
+
+	// Grant +v to bob, then he should be able to send.
+	alice.send("MODE #modtest +v bob")
+	alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "+v")
+	})
+	bob.readUntil(func(l string) bool {
+		return strings.Contains(l, "+v")
+	})
+
+	bob.send("PRIVMSG #modtest :voiced message")
+	aliceLines := alice.readUntil(func(l string) bool {
+		return strings.Contains(l, "voiced message")
+	})
+	assertContains(
+		t, aliceLines, "voiced message",
+		"alice receives voiced bob's message",
+	)
+}
+
+// TestIntegrationThirdClientObserver verifies that a third
+// client observing the same channel receives messages from
+// the other two.
+func TestIntegrationThirdClientObserver(t *testing.T) {
+	t.Parallel()
+
+	env := newTestEnv(t)
+
+	alice := env.dial(t)
+	alice.register("alice")
+
+	bob := env.dial(t)
+	bob.register("bob")
+
+	carol := env.dial(t)
+	carol.register("carol")
+
+	alice.joinAndDrain("#trio")
+	bob.joinAndDrain("#trio")
+	carol.joinAndDrain("#trio")
+
+	// Drain join notifications.
+	time.Sleep(100 * time.Millisecond)
+
+	// alice sends; both bob and carol should receive.
+	alice.send("PRIVMSG #trio :hello trio")
+
+	bobLines := bob.readUntil(func(l string) bool {
+		return strings.Contains(l, "hello trio")
+	})
+	assertContains(
+		t, bobLines, "hello trio",
+		"bob receives trio message",
+	)
+
+	carolLines := carol.readUntil(func(l string) bool {
+		return strings.Contains(l, "hello trio")
+	})
+	assertContains(
+		t, carolLines, "hello trio",
+		"carol receives trio message",
+	)
+}

internal/service/service.go

@@ -8,6 +8,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"log/slog"
+	"strconv"
 	"strings"
 
 	"git.eeqj.de/sneak/neoirc/internal/broker"
@@ -30,19 +31,35 @@ type Params struct {
 
 // Service provides shared business logic for IRC commands.
 type Service struct {
-	DB     *db.Database
-	Broker *broker.Broker
-	Config *config.Config
-	Log    *slog.Logger
+	db     *db.Database
+	broker *broker.Broker
+	config *config.Config
+	log    *slog.Logger
 }
 
 // New creates a new Service.
 func New(params Params) *Service {
 	return &Service{
-		DB:     params.Database,
-		Broker: params.Broker,
-		Config: params.Config,
-		Log:    params.Logger.Get(),
+		db:     params.Database,
+		broker: params.Broker,
+		config: params.Config,
+		log:    params.Logger.Get(),
+	}
+}
+
+// NewTestService creates a Service for use in tests
+// outside the service package.
+func NewTestService(
+	database *db.Database,
+	brk *broker.Broker,
+	cfg *config.Config,
+	log *slog.Logger,
+) *Service {
+	return &Service{
+		db:     database,
+		broker: brk,
+		config: cfg,
+		log:    log,
 	}
 }
 
@@ -76,7 +93,7 @@ func (s *Service) FanOut(
 	params, body, meta json.RawMessage,
 	sessionIDs []int64,
 ) (int64, string, error) {
-	dbID, msgUUID, err := s.DB.InsertMessage(
+	dbID, msgUUID, err := s.db.InsertMessage(
 		ctx, command, from, to, params, body, meta,
 	)
 	if err != nil {
@@ -84,8 +101,8 @@ func (s *Service) FanOut(
 	}
 
 	for _, sid := range sessionIDs {
-		_ = s.DB.EnqueueToSession(ctx, sid, dbID)
-		s.Broker.Notify(sid)
+		_ = s.db.EnqueueToSession(ctx, sid, dbID)
+		s.broker.Notify(sid)
 	}
 
 	return dbID, msgUUID, nil
@@ -120,7 +137,7 @@ func (s *Service) SendChannelMessage(
 	nick, command, channel string,
 	body, meta json.RawMessage,
 ) (int64, string, error) {
-	chID, err := s.DB.GetChannelByName(ctx, channel)
+	chID, err := s.db.GetChannelByName(ctx, channel)
 	if err != nil {
 		return 0, "", &IRCError{
 			irc.ErrNoSuchChannel,
@@ -129,7 +146,7 @@ func (s *Service) SendChannelMessage(
 		}
 	}
 
-	isMember, _ := s.DB.IsChannelMember(
+	isMember, _ := s.db.IsChannelMember(
 		ctx, chID, sessionID,
 	)
 	if !isMember {
@@ -140,12 +157,24 @@ func (s *Service) SendChannelMessage(
 		}
 	}
 
-	moderated, _ := s.DB.IsChannelModerated(ctx, chID)
-	if moderated {
-		isOp, _ := s.DB.IsChannelOperator(
+	// Ban check — banned users cannot send messages.
+	isBanned, banErr := s.db.IsSessionBanned(
 		ctx, chID, sessionID,
 	)
-		isVoiced, _ := s.DB.IsChannelVoiced(
+	if banErr == nil && isBanned {
+		return 0, "", &IRCError{
+			irc.ErrCannotSendToChan,
+			[]string{channel},
+			"Cannot send to channel (+b)",
+		}
+	}
+
+	moderated, _ := s.db.IsChannelModerated(ctx, chID)
+	if moderated {
+		isOp, _ := s.db.IsChannelOperator(
+			ctx, chID, sessionID,
+		)
+		isVoiced, _ := s.db.IsChannelVoiced(
 			ctx, chID, sessionID,
 		)
 
@@ -158,7 +187,7 @@ func (s *Service) SendChannelMessage(
 		}
 	}
 
-	memberIDs, _ := s.DB.GetChannelMemberIDs(ctx, chID)
+	memberIDs, _ := s.db.GetChannelMemberIDs(ctx, chID)
 	recipients := excludeSession(memberIDs, sessionID)
 
 	dbID, uuid, fanErr := s.FanOut(
@@ -181,7 +210,7 @@ func (s *Service) SendDirectMessage(
 	nick, command, target string,
 	body, meta json.RawMessage,
 ) (*DirectMsgResult, error) {
-	targetSID, err := s.DB.GetSessionByNick(ctx, target)
+	targetSID, err := s.db.GetSessionByNick(ctx, target)
 	if err != nil {
 		return nil, &IRCError{
 			irc.ErrNoSuchNick,
@@ -190,7 +219,7 @@ func (s *Service) SendDirectMessage(
 		}
 	}
 
-	away, _ := s.DB.GetAway(ctx, targetSID)
+	away, _ := s.db.GetAway(ctx, targetSID)
 
 	recipients := []int64{targetSID}
 	if targetSID != sessionID {
@@ -214,31 +243,43 @@ func (s *Service) SendDirectMessage(
 func (s *Service) JoinChannel(
 	ctx context.Context,
 	sessionID int64,
-	nick, channel string,
+	nick, channel, suppliedKey string,
 ) (*JoinResult, error) {
-	chID, err := s.DB.GetOrCreateChannel(ctx, channel)
+	chID, err := s.db.GetOrCreateChannel(ctx, channel)
 	if err != nil {
 		return nil, fmt.Errorf("get/create channel: %w", err)
 	}
 
-	memberCount, countErr := s.DB.CountChannelMembers(
+	memberCount, countErr := s.db.CountChannelMembers(
 		ctx, chID,
 	)
 	isCreator := countErr == nil && memberCount == 0
 
+	if !isCreator {
+		if joinErr := checkJoinRestrictions(
+			ctx, s.db, chID, sessionID,
+			channel, suppliedKey, memberCount,
+		); joinErr != nil {
+			return nil, joinErr
+		}
+	}
+
 	if isCreator {
-		err = s.DB.JoinChannelAsOperator(
+		err = s.db.JoinChannelAsOperator(
 			ctx, chID, sessionID,
 		)
 	} else {
-		err = s.DB.JoinChannel(ctx, chID, sessionID)
+		err = s.db.JoinChannel(ctx, chID, sessionID)
 	}
 
 	if err != nil {
 		return nil, fmt.Errorf("join channel: %w", err)
 	}
 
-	memberIDs, _ := s.DB.GetChannelMemberIDs(ctx, chID)
+	// Clear invite after successful join.
+	_ = s.db.ClearChannelInvite(ctx, chID, sessionID)
+
+	memberIDs, _ := s.db.GetChannelMemberIDs(ctx, chID)
 	body, _ := json.Marshal([]string{channel}) //nolint:errchkjson
 
 	_, _, _ = s.FanOut( //nolint:dogsled // fire-and-forget broadcast
@@ -260,7 +301,7 @@ func (s *Service) PartChannel(
 	sessionID int64,
 	nick, channel, reason string,
 ) error {
-	chID, err := s.DB.GetChannelByName(ctx, channel)
+	chID, err := s.db.GetChannelByName(ctx, channel)
 	if err != nil {
 		return &IRCError{
 			irc.ErrNoSuchChannel,
@@ -269,7 +310,7 @@ func (s *Service) PartChannel(
 		}
 	}
 
-	isMember, _ := s.DB.IsChannelMember(
+	isMember, _ := s.db.IsChannelMember(
 		ctx, chID, sessionID,
 	)
 	if !isMember {
@@ -280,7 +321,7 @@ func (s *Service) PartChannel(
 		}
 	}
 
-	memberIDs, _ := s.DB.GetChannelMemberIDs(ctx, chID)
+	memberIDs, _ := s.db.GetChannelMemberIDs(ctx, chID)
 	recipients := excludeSession(memberIDs, sessionID)
 	body, _ := json.Marshal([]string{reason}) //nolint:errchkjson
 
@@ -289,8 +330,8 @@ func (s *Service) PartChannel(
 		nil, body, nil, recipients,
 	)
 
-	s.DB.PartChannel(ctx, chID, sessionID) //nolint:errcheck,gosec
-	s.DB.DeleteChannelIfEmpty(ctx, chID)   //nolint:errcheck,gosec
+	s.db.PartChannel(ctx, chID, sessionID) //nolint:errcheck,gosec
+	s.db.DeleteChannelIfEmpty(ctx, chID)   //nolint:errcheck,gosec
 
 	return nil
 }
@@ -302,7 +343,7 @@ func (s *Service) SetTopic(
 	sessionID int64,
 	nick, channel, topic string,
 ) error {
-	chID, err := s.DB.GetChannelByName(ctx, channel)
+	chID, err := s.db.GetChannelByName(ctx, channel)
 	if err != nil {
 		return &IRCError{
 			irc.ErrNoSuchChannel,
@@ -311,7 +352,7 @@ func (s *Service) SetTopic(
 		}
 	}
 
-	isMember, _ := s.DB.IsChannelMember(
+	isMember, _ := s.db.IsChannelMember(
 		ctx, chID, sessionID,
 	)
 	if !isMember {
@@ -322,9 +363,9 @@ func (s *Service) SetTopic(
 		}
 	}
 
-	topicLocked, _ := s.DB.IsChannelTopicLocked(ctx, chID)
+	topicLocked, _ := s.db.IsChannelTopicLocked(ctx, chID)
 	if topicLocked {
-		isOp, _ := s.DB.IsChannelOperator(
+		isOp, _ := s.db.IsChannelOperator(
 			ctx, chID, sessionID,
 		)
 		if !isOp {
@@ -336,15 +377,15 @@ func (s *Service) SetTopic(
 		}
 	}
 
-	if setErr := s.DB.SetTopic(
+	if setErr := s.db.SetTopic(
 		ctx, channel, topic,
 	); setErr != nil {
 		return fmt.Errorf("set topic: %w", setErr)
 	}
 
-	_ = s.DB.SetTopicMeta(ctx, channel, topic, nick)
+	_ = s.db.SetTopicMeta(ctx, channel, topic, nick)
 
-	memberIDs, _ := s.DB.GetChannelMemberIDs(ctx, chID)
+	memberIDs, _ := s.db.GetChannelMemberIDs(ctx, chID)
 	body, _ := json.Marshal([]string{topic}) //nolint:errchkjson
 
 	_, _, _ = s.FanOut( //nolint:dogsled // fire-and-forget broadcast
@@ -363,7 +404,7 @@ func (s *Service) KickUser(
 	sessionID int64,
 	nick, channel, targetNick, reason string,
 ) error {
-	chID, err := s.DB.GetChannelByName(ctx, channel)
+	chID, err := s.db.GetChannelByName(ctx, channel)
 	if err != nil {
 		return &IRCError{
 			irc.ErrNoSuchChannel,
@@ -372,7 +413,7 @@ func (s *Service) KickUser(
 		}
 	}
 
-	isOp, _ := s.DB.IsChannelOperator(
+	isOp, _ := s.db.IsChannelOperator(
 		ctx, chID, sessionID,
 	)
 	if !isOp {
@@ -383,7 +424,7 @@ func (s *Service) KickUser(
 		}
 	}
 
-	targetSID, err := s.DB.GetSessionByNick(
+	targetSID, err := s.db.GetSessionByNick(
 		ctx, targetNick,
 	)
 	if err != nil {
@@ -394,7 +435,7 @@ func (s *Service) KickUser(
 		}
 	}
 
-	isMember, _ := s.DB.IsChannelMember(
+	isMember, _ := s.db.IsChannelMember(
 		ctx, chID, targetSID,
 	)
 	if !isMember {
@@ -405,7 +446,7 @@ func (s *Service) KickUser(
 		}
 	}
 
-	memberIDs, _ := s.DB.GetChannelMemberIDs(ctx, chID)
+	memberIDs, _ := s.db.GetChannelMemberIDs(ctx, chID)
 	body, _ := json.Marshal([]string{reason}) //nolint:errchkjson
 	params, _ := json.Marshal(                //nolint:errchkjson
 		[]string{targetNick},
@@ -416,8 +457,8 @@ func (s *Service) KickUser(
 		params, body, nil, memberIDs,
 	)
 
-	s.DB.PartChannel(ctx, chID, targetSID) //nolint:errcheck,gosec
-	s.DB.DeleteChannelIfEmpty(ctx, chID)   //nolint:errcheck,gosec
+	s.db.PartChannel(ctx, chID, targetSID) //nolint:errcheck,gosec
+	s.db.DeleteChannelIfEmpty(ctx, chID)   //nolint:errcheck,gosec
 
 	return nil
 }
@@ -429,7 +470,7 @@ func (s *Service) ChangeNick(
 	sessionID int64,
 	oldNick, newNick string,
 ) error {
-	err := s.DB.ChangeNick(ctx, sessionID, newNick)
+	err := s.db.ChangeNick(ctx, sessionID, newNick)
 	if err != nil {
 		if strings.Contains(err.Error(), "UNIQUE") ||
 			db.IsUniqueConstraintError(err) {
@@ -461,7 +502,7 @@ func (s *Service) BroadcastQuit(
 	sessionID int64,
 	nick, reason string,
 ) {
-	channels, err := s.DB.GetSessionChannels(
+	channels, err := s.db.GetSessionChannels(
 		ctx, sessionID,
 	)
 	if err != nil {
@@ -471,7 +512,7 @@ func (s *Service) BroadcastQuit(
 	notified := make(map[int64]bool)
 
 	for _, ch := range channels {
-		memberIDs, memErr := s.DB.GetChannelMemberIDs(
+		memberIDs, memErr := s.db.GetChannelMemberIDs(
 			ctx, ch.ID,
 		)
 		if memErr != nil {
@@ -502,11 +543,11 @@ func (s *Service) BroadcastQuit(
 	}
 
 	for _, ch := range channels {
-		s.DB.PartChannel(ctx, ch.ID, sessionID) //nolint:errcheck,gosec
-		s.DB.DeleteChannelIfEmpty(ctx, ch.ID)   //nolint:errcheck,gosec
+		s.db.PartChannel(ctx, ch.ID, sessionID) //nolint:errcheck,gosec
+		s.db.DeleteChannelIfEmpty(ctx, ch.ID)   //nolint:errcheck,gosec
 	}
 
-	s.DB.DeleteSession(ctx, sessionID) //nolint:errcheck,gosec
+	s.db.DeleteSession(ctx, sessionID) //nolint:errcheck,gosec
 }
 
 // SetAway sets or clears the away message. Returns true
@@ -516,7 +557,7 @@ func (s *Service) SetAway(
 	sessionID int64,
 	message string,
 ) (bool, error) {
-	err := s.DB.SetAway(ctx, sessionID, message)
+	err := s.db.SetAway(ctx, sessionID, message)
 	if err != nil {
 		return false, fmt.Errorf("set away: %w", err)
 	}
@@ -531,8 +572,8 @@ func (s *Service) Oper(
 	sessionID int64,
 	name, password string,
 ) error {
-	cfgName := s.Config.OperName
-	cfgPassword := s.Config.OperPassword
+	cfgName := s.config.OperName
+	cfgPassword := s.config.OperPassword
 
 	// Use constant-time comparison and return the same
 	// error for all failures to prevent information
@@ -551,7 +592,7 @@ func (s *Service) Oper(
 		}
 	}
 
-	_ = s.DB.SetSessionOper(ctx, sessionID, true)
+	_ = s.db.SetSessionOper(ctx, sessionID, true)
 
 	return nil
 }
@@ -563,7 +604,7 @@ func (s *Service) ValidateChannelOp(
 	sessionID int64,
 	channel string,
 ) (int64, error) {
-	chID, err := s.DB.GetChannelByName(ctx, channel)
+	chID, err := s.db.GetChannelByName(ctx, channel)
 	if err != nil {
 		return 0, &IRCError{
 			irc.ErrNoSuchChannel,
@@ -572,7 +613,7 @@ func (s *Service) ValidateChannelOp(
 		}
 	}
 
-	isOp, _ := s.DB.IsChannelOperator(
+	isOp, _ := s.db.IsChannelOperator(
 		ctx, chID, sessionID,
 	)
 	if !isOp {
@@ -595,7 +636,7 @@ func (s *Service) ApplyMemberMode(
 	mode rune,
 	adding bool,
 ) error {
-	targetSID, err := s.DB.GetSessionByNick(
+	targetSID, err := s.db.GetSessionByNick(
 		ctx, targetNick,
 	)
 	if err != nil {
@@ -606,7 +647,7 @@ func (s *Service) ApplyMemberMode(
 		}
 	}
 
-	isMember, _ := s.DB.IsChannelMember(
+	isMember, _ := s.db.IsChannelMember(
 		ctx, chID, targetSID,
 	)
 	if !isMember {
@@ -619,11 +660,11 @@ func (s *Service) ApplyMemberMode(
 
 	switch mode {
 	case 'o':
-		_ = s.DB.SetChannelMemberOperator(
+		_ = s.db.SetChannelMemberOperator(
 			ctx, chID, targetSID, adding,
 		)
 	case 'v':
-		_ = s.DB.SetChannelMemberVoiced(
+		_ = s.db.SetChannelMemberVoiced(
 			ctx, chID, targetSID, adding,
 		)
 	}
@@ -631,7 +672,8 @@ func (s *Service) ApplyMemberMode(
 	return nil
 }
 
-// SetChannelFlag applies +m/-m or +t/-t on a channel.
+// SetChannelFlag applies a simple boolean channel mode
+// (+m/-m, +t/-t, +i/-i, +s/-s, +n/-n).
 func (s *Service) SetChannelFlag(
 	ctx context.Context,
 	chID int64,
@@ -640,17 +682,37 @@ func (s *Service) SetChannelFlag(
 ) error {
 	switch flag {
 	case 'm':
-		if err := s.DB.SetChannelModerated(
+		if err := s.db.SetChannelModerated(
 			ctx, chID, setting,
 		); err != nil {
 			return fmt.Errorf("set moderated: %w", err)
 		}
 	case 't':
-		if err := s.DB.SetChannelTopicLocked(
+		if err := s.db.SetChannelTopicLocked(
 			ctx, chID, setting,
 		); err != nil {
 			return fmt.Errorf("set topic locked: %w", err)
 		}
+	case 'i':
+		if err := s.db.SetChannelInviteOnly(
+			ctx, chID, setting,
+		); err != nil {
+			return fmt.Errorf("set invite only: %w", err)
+		}
+	case 's':
+		if err := s.db.SetChannelSecret(
+			ctx, chID, setting,
+		); err != nil {
+			return fmt.Errorf("set secret: %w", err)
+		}
+	case 'n':
+		if err := s.db.SetChannelNoExternal(
+			ctx, chID, setting,
+		); err != nil {
+			return fmt.Errorf(
+				"set no external: %w", err,
+			)
+		}
 	}
 
 	return nil
@@ -664,7 +726,7 @@ func (s *Service) BroadcastMode(
 	chID int64,
 	modeText string,
 ) {
-	memberIDs, _ := s.DB.GetChannelMemberIDs(ctx, chID)
+	memberIDs, _ := s.db.GetChannelMemberIDs(ctx, chID)
 	body, _ := json.Marshal([]string{modeText}) //nolint:errchkjson
 
 	_, _, _ = s.FanOut( //nolint:dogsled // fire-and-forget broadcast
@@ -673,24 +735,60 @@ func (s *Service) BroadcastMode(
 	)
 }
 
-// QueryChannelMode returns the channel mode string.
+// QueryChannelMode returns the complete channel mode
+// string including all flags and parameterized modes.
 func (s *Service) QueryChannelMode(
 	ctx context.Context,
 	chID int64,
 ) string {
 	modes := "+"
 
-	moderated, _ := s.DB.IsChannelModerated(ctx, chID)
+	noExternal, _ := s.db.IsChannelNoExternal(ctx, chID)
+	if noExternal {
+		modes += "n"
+	}
+
+	inviteOnly, _ := s.db.IsChannelInviteOnly(ctx, chID)
+	if inviteOnly {
+		modes += "i"
+	}
+
+	moderated, _ := s.db.IsChannelModerated(ctx, chID)
 	if moderated {
 		modes += "m"
 	}
 
-	topicLocked, _ := s.DB.IsChannelTopicLocked(ctx, chID)
+	secret, _ := s.db.IsChannelSecret(ctx, chID)
+	if secret {
+		modes += "s"
+	}
+
+	topicLocked, _ := s.db.IsChannelTopicLocked(ctx, chID)
 	if topicLocked {
 		modes += "t"
 	}
 
-	return modes
+	var modeParams string
+
+	key, _ := s.db.GetChannelKey(ctx, chID)
+	if key != "" {
+		modes += "k"
+		modeParams += " " + key
+	}
+
+	limit, _ := s.db.GetChannelUserLimit(ctx, chID)
+	if limit > 0 {
+		modes += "l"
+		modeParams += " " + strconv.Itoa(limit)
+	}
+
+	bits, _ := s.db.GetChannelHashcashBits(ctx, chID)
+	if bits > 0 {
+		modes += "H"
+		modeParams += " " + strconv.Itoa(bits)
+	}
+
+	return modes + modeParams
 }
 
 // broadcastNickChange notifies channel peers of a nick
@@ -700,7 +798,7 @@ func (s *Service) broadcastNickChange(
 	sessionID int64,
 	oldNick, newNick string,
 ) {
-	channels, err := s.DB.GetSessionChannels(
+	channels, err := s.db.GetSessionChannels(
 		ctx, sessionID,
 	)
 	if err != nil {
@@ -710,7 +808,7 @@ func (s *Service) broadcastNickChange(
 	body, _ := json.Marshal([]string{newNick}) //nolint:errchkjson
 	notified := make(map[int64]bool)
 
-	dbID, _, insErr := s.DB.InsertMessage(
+	dbID, _, insErr := s.db.InsertMessage(
 		ctx, irc.CmdNick, oldNick, "",
 		nil, body, nil,
 	)
@@ -719,12 +817,12 @@ func (s *Service) broadcastNickChange(
 	}
 
 	// Notify the user themselves (for multi-client sync).
-	_ = s.DB.EnqueueToSession(ctx, sessionID, dbID)
-	s.Broker.Notify(sessionID)
+	_ = s.db.EnqueueToSession(ctx, sessionID, dbID)
+	s.broker.Notify(sessionID)
 	notified[sessionID] = true
 
 	for _, ch := range channels {
-		memberIDs, memErr := s.DB.GetChannelMemberIDs(
+		memberIDs, memErr := s.db.GetChannelMemberIDs(
 			ctx, ch.ID,
 		)
 		if memErr != nil {
@@ -738,8 +836,66 @@ func (s *Service) broadcastNickChange(
 
 			notified[mid] = true
 
-			_ = s.DB.EnqueueToSession(ctx, mid, dbID)
-			s.Broker.Notify(mid)
+			_ = s.db.EnqueueToSession(ctx, mid, dbID)
+			s.broker.Notify(mid)
 		}
 	}
 }
+
+// checkJoinRestrictions validates Tier 2 join conditions:
+// bans, invite-only, channel key, and user limit.
+func checkJoinRestrictions(
+	ctx context.Context,
+	database *db.Database,
+	chID, sessionID int64,
+	channel, suppliedKey string,
+	memberCount int64,
+) error {
+	isBanned, banErr := database.IsSessionBanned(
+		ctx, chID, sessionID,
+	)
+	if banErr == nil && isBanned {
+		return &IRCError{
+			Code:    irc.ErrBannedFromChan,
+			Params:  []string{channel},
+			Message: "Cannot join channel (+b)",
+		}
+	}
+
+	isInviteOnly, ioErr := database.IsChannelInviteOnly(
+		ctx, chID,
+	)
+	if ioErr == nil && isInviteOnly {
+		hasInvite, invErr := database.HasChannelInvite(
+			ctx, chID, sessionID,
+		)
+		if invErr != nil || !hasInvite {
+			return &IRCError{
+				Code:    irc.ErrInviteOnlyChan,
+				Params:  []string{channel},
+				Message: "Cannot join channel (+i)",
+			}
+		}
+	}
+
+	key, keyErr := database.GetChannelKey(ctx, chID)
+	if keyErr == nil && key != "" && suppliedKey != key {
+		return &IRCError{
+			Code:    irc.ErrBadChannelKey,
+			Params:  []string{channel},
+			Message: "Cannot join channel (+k)",
+		}
+	}
+
+	limit, limErr := database.GetChannelUserLimit(ctx, chID)
+	if limErr == nil && limit > 0 &&
+		memberCount >= int64(limit) {
+		return &IRCError{
+			Code:    irc.ErrChannelIsFull,
+			Params:  []string{channel},
+			Message: "Cannot join channel (+l)",
+		}
+	}
+
+	return nil
+}

internal/service/service_test.go

@@ -167,7 +167,7 @@ func TestJoinChannel(t *testing.T) {
 	sid := createSession(ctx, t, env.db, "alice")
 
 	result, err := env.svc.JoinChannel(
-		ctx, sid, "alice", "#general",
+		ctx, sid, "alice", "#general", "",
 	)
 	if err != nil {
 		t.Fatalf("JoinChannel: %v", err)
@@ -185,7 +185,7 @@ func TestJoinChannel(t *testing.T) {
 	sid2 := createSession(ctx, t, env.db, "bob")
 
 	result2, err := env.svc.JoinChannel(
-		ctx, sid2, "bob", "#general",
+		ctx, sid2, "bob", "#general", "",
 	)
 	if err != nil {
 		t.Fatalf("JoinChannel bob: %v", err)
@@ -207,7 +207,7 @@ func TestPartChannel(t *testing.T) {
 	sid := createSession(ctx, t, env.db, "alice")
 
 	_, err := env.svc.JoinChannel(
-		ctx, sid, "alice", "#general",
+		ctx, sid, "alice", "#general", "",
 	)
 	if err != nil {
 		t.Fatalf("JoinChannel: %v", err)
@@ -242,14 +242,14 @@ func TestSendChannelMessage(t *testing.T) {
 	sid2 := createSession(ctx, t, env.db, "bob")
 
 	_, err := env.svc.JoinChannel(
-		ctx, sid1, "alice", "#chat",
+		ctx, sid1, "alice", "#chat", "",
 	)
 	if err != nil {
 		t.Fatalf("join alice: %v", err)
 	}
 
 	_, err = env.svc.JoinChannel(
-		ctx, sid2, "bob", "#chat",
+		ctx, sid2, "bob", "#chat", "",
 	)
 	if err != nil {
 		t.Fatalf("join bob: %v", err)
@@ -293,14 +293,14 @@ func TestBroadcastQuit(t *testing.T) {
 	sid2 := createSession(ctx, t, env.db, "bob")
 
 	_, err := env.svc.JoinChannel(
-		ctx, sid1, "alice", "#room",
+		ctx, sid1, "alice", "#room", "",
 	)
 	if err != nil {
 		t.Fatalf("join alice: %v", err)
 	}
 
 	_, err = env.svc.JoinChannel(
-		ctx, sid2, "bob", "#room",
+		ctx, sid2, "bob", "#room", "",
 	)
 	if err != nil {
 		t.Fatalf("join bob: %v", err)
@@ -326,14 +326,14 @@ func TestSendChannelMessage_Moderated(t *testing.T) {
 	sid2 := createSession(ctx, t, env.db, "bob")
 
 	result, err := env.svc.JoinChannel(
-		ctx, sid1, "alice", "#modchat",
+		ctx, sid1, "alice", "#modchat", "",
 	)
 	if err != nil {
 		t.Fatalf("join alice: %v", err)
 	}
 
 	_, err = env.svc.JoinChannel(
-		ctx, sid2, "bob", "#modchat",
+		ctx, sid2, "bob", "#modchat", "",
 	)
 	if err != nil {
 		t.Fatalf("join bob: %v", err)