fix: correct all documentation inaccuracies about cookie-based auth

- Fix false claim 'clients never need to handle the token directly' — CLI clients (curl, custom HTTP clients) must explicitly manage cookies - Replace 'token' with 'cookie' in multi-client diagram (token_a → cookie_a) - Fix Set-Cookie placeholders in protocol diagrams (<token> → <random_hex>/<cookie_a>/<cookie_b>) - Fix 'old token' → 'old auth cookie' in QUIT command description - Fix 'get token' → 'get auth cookie' in Client Development Guide - Fix 'Tokens are hashed' → 'Cookie values are hashed' in Security Model - Fix 'client tokens are deleted' → 'client auth cookies are invalidated' - Fix 'Cookie sent automatically' → 'Cookie must be sent' in diagram - Fix 'eliminates token management from client code entirely' rationale - Fix 'No token appears in the JSON body' → 'No auth credential appears' - Fix 'encoded in the token' → 'encoded in the cookie value' - Fix 'Clients never handle tokens directly' in JWT comparison section - Update clients table token column description for clarity - All remaining 'token' refs verified as legitimate (pow_token/hashcash/JWT comparison/DB schema column name)
refactor: replace Bearer token auth with HttpOnly cookies
2026-03-19 23:17:49 -07:00 · 2026-03-19 23:17:49 -07:00
16 changed files with 236 additions and 6927 deletions
--- a/README.md
+++ b/README.md
@@ -212,13 +212,13 @@ Each session has an IRC-style hostmask composed of three parts:
 - **nick** — the user's current nick (changes with `NICK` command)
 - **username** — an ident-like identifier set at session creation (optional
-  `username` field in the session request; defaults to the nick)
+  `username` field in the session/register request; defaults to the nick)
 - **hostname** — automatically resolved via reverse DNS of the connecting
  client's IP address at session creation time
 - **ip** — the real IP address of the session creator, extracted from
  `X-Forwarded-For`, `X-Real-IP`, or `RemoteAddr`
-Each **client connection** (created at session creation or login)
+Each **client connection** (created at session creation, registration, or login)
 also stores its own **ip** and **hostname**, allowing the server to track the
 network origin of each individual client independently from the session.
 Client-level IP and hostname are **not displayed to regular users**. They are
@@ -824,9 +824,8 @@ Set or change a channel's topic.
 - Updates the channel's topic in the database.
 - The TOPIC event is broadcast to all channel members.
 - If the channel doesn't exist, the server returns an error.
- If the channel has mode `+t` (topic lock, default: ON for new channels),
+- If the channel has mode `+t` (topic lock), only operators can change the
-  only operators (`+o`) can change the topic. Non-operators receive
+  topic (not yet enforced).
  `ERR_CHANOPRIVSNEEDED` (482).
 **Response:** `200 OK`
 ```json
@@ -1021,23 +1020,16 @@ WHOIS responses (e.g., target user's current client IP and hostname).
 **IRC reference:** RFC 1459 §4.1.5
-#### KICK — Kick User
+#### KICK — Kick User (Planned)
-Remove a user from a channel. Only channel operators (`+o`) can use this
+Remove a user from a channel.
 command. The kicked user and all channel members receive the KICK message.
 **C2S:**
 ```json
-{"command": "KICK", "to": "#general", "body": ["bob", "misbehaving"]}
+{"command": "KICK", "to": "#general", "params": ["bob"], "body": ["misbehaving"]}
 ```
-The first element of `body` is the target nick, the second (optional) is the
+**Status:** Not yet implemented.
 reason. If no reason is provided, the kicker's nick is used as the default.
 **Errors:**
 - `482` (ERR_CHANOPRIVSNEEDED) — kicker is not a channel operator
 - `441` (ERR_USERNOTINCHANNEL) — target is not in the channel
 - `403` (ERR_NOSUCHCHANNEL) — channel does not exist
 **IRC reference:** RFC 1459 §4.2.8
@@ -1079,8 +1071,8 @@ the server to the client (never C2S) and use 3-digit string codes in the
 | `001` | RPL_WELCOME         | After session creation | `{"command":"001","to":"alice","body":["Welcome to the network, alice"]}` |
 | `002` | RPL_YOURHOST        | After session creation | `{"command":"002","to":"alice","body":["Your host is neoirc, running version 0.1"]}` |
 | `003` | RPL_CREATED         | After session creation | `{"command":"003","to":"alice","body":["This server was created 2026-02-10"]}` |
-| `004` | RPL_MYINFO          | After session creation | `{"command":"004","to":"alice","params":["neoirc","0.1","","ikmnostl"]}` |
+| `004` | RPL_MYINFO          | After session creation | `{"command":"004","to":"alice","params":["neoirc","0.1","","imnst"]}` |
-| `005` | RPL_ISUPPORT        | After session creation | `{"command":"005","to":"alice","params":["CHANTYPES=#","NICKLEN=32","PREFIX=(ov)@+","CHANMODES=b,k,Hl,imnst","NETWORK=neoirc"],"body":["are supported by this server"]}` |
+| `005` | RPL_ISUPPORT        | After session creation | `{"command":"005","to":"alice","params":["CHANTYPES=#","NICKLEN=32","NETWORK=neoirc"],"body":["are supported by this server"]}` |
 | `221` | RPL_UMODEIS         | In response to user MODE query | `{"command":"221","to":"alice","body":["+"]}` |
 | `251` | RPL_LUSERCLIENT     | On connect or LUSERS command | `{"command":"251","to":"alice","body":["There are 5 users and 0 invisible on 1 servers"]}` |
 | `252` | RPL_LUSEROP         | On connect or LUSERS command | `{"command":"252","to":"alice","params":["0"],"body":["operator(s) online"]}` |
@@ -1126,73 +1118,25 @@ carries IRC-style parameters (e.g., channel name, target nick).
 Inspired by IRC, simplified:
-| Mode | Name           | Meaning | Status |
+| Mode | Name           | Meaning |
-|------|----------------|---------|--------|
+|------|----------------|---------|
-| `+b` | Ban            | Prevents matching hostmasks from joining or sending (parameter: `nick!user@host` mask with wildcards) | **Enforced** |
+| `+i` | Invite-only    | Only invited users can join |
-| `+i` | Invite-only    | Only invited users can join; use `INVITE nick #channel` to invite | **Enforced** |
+| `+m` | Moderated      | Only voiced (`+v`) users and operators (`+o`) can send |
-| `+k` | Channel key    | Requires a password to join (parameter: key string) | **Enforced** |
+| `+s` | Secret         | Channel hidden from LIST response |
-| `+l` | User limit     | Maximum number of members allowed in the channel (parameter: integer) | **Enforced** |
+| `+t` | Topic lock     | Only operators can change the topic |
-| `+m` | Moderated      | Only voiced (`+v`) users and operators (`+o`) can send | **Enforced** |
+| `+n` | No external    | Only channel members can send messages to the channel |
-| `+n` | No external    | Only channel members can send messages to the channel | **Enforced** |
+| `+H` | Hashcash       | Requires proof-of-work for PRIVMSG (parameter: bits, e.g. `+H 20`) |
 | `+s` | Secret         | Channel hidden from LIST and WHOIS for non-members | **Enforced** |
 | `+t` | Topic lock     | Only operators can change the topic (default: ON) | **Enforced** |
 | `+H` | Hashcash       | Requires proof-of-work for PRIVMSG (parameter: bits, e.g. `+H 20`) | **Enforced** |
 **User channel modes (set per-user per-channel):**
-| Mode | Meaning | Display prefix | Status |
+| Mode | Meaning | Display prefix |
-|------|---------|----------------|--------|
+|------|---------|----------------|
-| `+o` | Operator | `@` in NAMES reply | **Enforced** |
+| `+o` | Operator | `@` in NAMES reply |
-| `+v` | Voice    | `+` in NAMES reply | **Enforced** |
+| `+v` | Voice    | `+` in NAMES reply |
-**Channel creator auto-op:** The first user to JOIN a channel (creating it)
+**Status:** Channel modes are defined but not yet enforced. The `modes` column
-automatically receives `+o` operator status.
+exists in the channels table but the server does not check modes on actions.
-
+Exception: `+H` (hashcash) is fully enforced — see below.
 **Ban system (+b):** Operators can ban users by hostmask pattern with wildcard
 matching (`*` and `?`). `MODE #channel +b` with no argument lists current bans.
 Bans prevent both joining and sending messages.
 ```
 MODE #channel +b *!*@*.example.com   — ban all users from example.com
 MODE #channel -b *!*@*.example.com   — remove the ban
 MODE #channel +b                     — list all bans (RPL_BANLIST 367/368)
 ```
 **Invite-only (+i):** When set, users must be invited by an operator before
 joining. The `INVITE` command records an invite that is consumed on JOIN.
 ```
 MODE #channel +i                     — set invite-only
 INVITE nick #channel                 — invite a user (operator only on +i channels)
 ```
 **Channel key (+k):** Requires a password to join the channel.
 ```
 MODE #channel +k secretpass          — set a channel key
 MODE #channel -k *                   — remove the key
 JOIN #channel secretpass             — join with key
 ```
 **User limit (+l):** Caps the number of members in the channel.
 ```
 MODE #channel +l 50                  — set limit to 50 members
 MODE #channel -l                     — remove the limit
 ```
 **Secret (+s):** Hides the channel from `LIST` for non-members and from
 `WHOIS` channel lists when the querier is not in the same channel.
 **KICK command:** Channel operators can remove users with `KICK #channel nick
 [:reason]`. The kicked user and all channel members receive the KICK message.
 **NOTICE:** Follows RFC 2812 — NOTICE never triggers auto-replies (including
 RPL_AWAY), and skips hashcash validation on +H channels (servers and services
 use NOTICE).
 **ISUPPORT:** The server advertises `PREFIX=(ov)@+` and
 `CHANMODES=b,k,Hl,imnst` in RPL_ISUPPORT (005).
 ### Per-Channel Hashcash (Anti-Spam)
@@ -2264,8 +2208,6 @@ directory is also loaded automatically via
 | `NEOIRC_HASHCASH_BITS` | int | `20`                               | Required hashcash proof-of-work difficulty (leading zero bits in SHA-256) for session creation. Set to `0` to disable. |
 | `NEOIRC_OPER_NAME` | string | `""`                                 | Server operator (o-line) username. Both name and password must be set to enable OPER. |
 | `NEOIRC_OPER_PASSWORD` | string | `""`                              | Server operator (o-line) password. Both name and password must be set to enable OPER. |
 | `LOGIN_RATE_LIMIT` | float   | `1`                                  | Allowed login attempts per second per IP address. |
 | `LOGIN_RATE_BURST`  | int    | `5`                                  | Maximum burst of login attempts per IP before rate limiting kicks in. |
 | `MAINTENANCE_MODE` | bool    | `false`                              | Maintenance mode flag (reserved) |
 ### Example `.env` file
@@ -2526,7 +2468,8 @@ Clients should handle these message commands from the queue:
 - **HTTP 401**: Auth cookie expired or invalid. Re-create session or
  re-login (if a password was set).
 - **HTTP 404**: Channel or user not found.
- **HTTP 409**: Nick already taken (on session creation or NICK change).
+- **HTTP 409**: Nick already taken (on session creation, registration, or
  NICK change).
 - **HTTP 400**: Malformed request. Check the `error` field in the response.
 - **Network errors**: Back off exponentially (1s, 2s, 4s, ..., max 30s).
@@ -2659,49 +2602,6 @@ creating one session pays once and keeps their session.
 - **Language-agnostic**: SHA-256 is available in every programming language.
  The proof computation is trivially implementable in any client.
 ### Login Rate Limiting
 The login endpoint (`POST /api/v1/login`) has per-IP rate limiting to prevent
 brute-force password attacks. This uses a token-bucket algorithm
 (`golang.org/x/time/rate`) with configurable rate and burst.
 | Environment Variable | Default | Description |
 |---------------------|---------|-------------|
 | `LOGIN_RATE_LIMIT`  | `1`     | Allowed login attempts per second per IP |
 | `LOGIN_RATE_BURST`  | `5`     | Maximum burst of login attempts per IP |
 When the limit is exceeded, the server returns **429 Too Many Requests** with a
 `Retry-After: 1` header. Stale per-IP entries are automatically cleaned up
 every 10 minutes.
 > **⚠️ Security: Reverse Proxy Required for Production Use**
 >
 > The rate limiter extracts the client IP by checking the `X-Forwarded-For`
 > header first, then `X-Real-IP`, and finally falling back to the TCP
 > `RemoteAddr`. Both `X-Forwarded-For` and `X-Real-IP` are **client-controlled
 > request headers** — any client can set them to arbitrary values.
 >
 > Without a properly configured reverse proxy in front of this server:
 >
 > - An attacker can **bypass rate limiting entirely** by rotating
 >   `X-Forwarded-For` values on each request (each value is treated as a
 >   distinct IP).
 > - An attacker can **deny service to a specific user** by spoofing that user's
 >   IP in the `X-Forwarded-For` header, exhausting their rate limit bucket.
 >
 > **Recommendation:** Always deploy behind a reverse proxy (e.g. nginx, Caddy,
 > Traefik) that strips or overwrites incoming `X-Forwarded-For` and `X-Real-IP`
 > headers with the actual client IP. If running without a reverse proxy, be
 > aware that the rate limiting provides no meaningful protection against a
 > targeted attack.
 **Why rate limits here but not on session creation?** Session creation is
 protected by hashcash proof-of-work (stateless, no IP tracking needed). Login
 involves bcrypt password verification against a registered account — a
 fundamentally different threat model where an attacker targets a specific
 account. Per-IP rate limiting is appropriate here because the cost of a wrong
 guess is borne by the server (bcrypt), not the client.
 ---
 ## Roadmap
@@ -2733,19 +2633,17 @@ guess is borne by the server (bcrypt), not the client.
 - [x] **Hashcash proof-of-work** for session creation (abuse prevention)
 - [x] **Client output queue pruning** — delete old client output queue entries per `QUEUE_MAX_AGE`
 - [x] **Message rotation** — prune messages older than `MESSAGE_MAX_AGE`
- [x] **Channel modes** — enforce `+m` (moderated), `+t` (topic lock), `+n` (no external)
+- [ ] **Channel modes** — enforce `+i`, `+m`, `+s`, `+t`, `+n`
- [x] **Channel modes (tier 2)** — enforce `+i` (invite-only), `+s` (secret), `+b` (ban), `+k` (key), `+l` (limit)
+- [ ] **User channel modes** — `+o` (operator), `+v` (voice)
- [x] **User channel modes** — `+o` (operator), `+v` (voice) with NAMES prefixes
+- [x] **MODE command** — query channel and user modes (set not yet implemented)
- [x] **KICK command** — operator-only channel kick with broadcast
+- [x] **NAMES command** — query channel member list
 - [x] **MODE command** — query and set channel/user modes
 - [x] **NAMES command** — query channel member list with @/+ prefixes
 - [x] **LIST command** — list all channels with member counts
 - [x] **WHOIS command** — query user information and channel membership
 - [x] **WHO command** — query channel user list
 - [x] **LUSERS command** — query server statistics
 - [x] **Connection registration numerics** — 001-005 sent on session creation
 - [x] **LUSERS numerics** — 251/252/254/255 sent on connect and via /LUSERS
- [x] **KICK command** — remove users from channels (operator-only)
+- [ ] **KICK command** — remove users from channels
 - [x] **Numeric replies** — send IRC numeric codes via the message queue
  (001-005 welcome, 251-255 LUSERS, 311-319 WHOIS, 322-329 LIST/MODE,
  331-332 TOPIC, 352-353 WHO/NAMES, 366, 372-376 MOTD, 401-461 errors)
--- a/go.mod
+++ b/go.mod
@@ -16,7 +16,6 @@ require (
 	github.com/spf13/viper v1.21.0
 	go.uber.org/fx v1.24.0
 	golang.org/x/crypto v0.48.0
 	golang.org/x/time v0.6.0
 	modernc.org/sqlite v1.45.0
 )
--- a/go.sum
+++ b/go.sum
@@ -151,8 +151,6 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
 golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
 golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
 golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -48,8 +48,6 @@ type Config struct {
 	HashcashBits       int
 	OperName           string
 	OperPassword       string
 	LoginRateLimit     float64
 	LoginRateBurst     int
 	params             *Params
 	log                *slog.Logger
 }
@@ -84,8 +82,6 @@ func New(
 	viper.SetDefault("NEOIRC_HASHCASH_BITS", "20")
 	viper.SetDefault("NEOIRC_OPER_NAME", "")
 	viper.SetDefault("NEOIRC_OPER_PASSWORD", "")
 	viper.SetDefault("LOGIN_RATE_LIMIT", "1")
 	viper.SetDefault("LOGIN_RATE_BURST", "5")
 	err := viper.ReadInConfig()
 	if err != nil {
@@ -114,8 +110,6 @@ func New(
 		HashcashBits:       viper.GetInt("NEOIRC_HASHCASH_BITS"),
 		OperName:           viper.GetString("NEOIRC_OPER_NAME"),
 		OperPassword:       viper.GetString("NEOIRC_OPER_PASSWORD"),
 		LoginRateLimit:     viper.GetFloat64("LOGIN_RATE_LIMIT"),
 		LoginRateBurst:     viper.GetInt("LOGIN_RATE_BURST"),
 		log:                log,
 		params:             &params,
 	}
--- a/internal/db/queries.go
+++ b/internal/db/queries.go
@@ -9,7 +9,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"strconv"
 	"strings"
 	"time"
 	"git.eeqj.de/sneak/neoirc/pkg/irc"
@@ -73,13 +72,11 @@ type ChannelInfo struct {
 // MemberInfo represents a channel member.
 type MemberInfo struct {
-	ID         int64     `json:"id"`
+	ID       int64     `json:"id"`
-	Nick       string    `json:"nick"`
+	Nick     string    `json:"nick"`
-	Username   string    `json:"username"`
+	Username string    `json:"username"`
-	Hostname   string    `json:"hostname"`
+	Hostname string    `json:"hostname"`
-	IsOperator bool      `json:"isOperator"`
+	LastSeen time.Time `json:"lastSeen"`
 	IsVoiced   bool      `json:"isVoiced"`
 	LastSeen   time.Time `json:"lastSeen"`
 }
 // Hostmask returns the IRC hostmask in
@@ -439,237 +436,6 @@ func (database *Database) JoinChannel(
 	return nil
 }
 // JoinChannelAsOperator adds a session to a channel with
 // operator status. Used when a user creates a new channel.
 func (database *Database) JoinChannelAsOperator(
 	ctx context.Context,
 	channelID, sessionID int64,
 ) error {
 	_, err := database.conn.ExecContext(ctx,
 		`INSERT OR IGNORE INTO channel_members
 		 (channel_id, session_id, is_operator, joined_at)
 		 VALUES (?, ?, 1, ?)`,
 		channelID, sessionID, time.Now())
 	if err != nil {
 		return fmt.Errorf(
 			"join channel as operator: %w", err,
 		)
 	}
 	return nil
 }
 // CountChannelMembers returns the number of members in
 // a channel.
 func (database *Database) CountChannelMembers(
 	ctx context.Context,
 	channelID int64,
 ) (int64, error) {
 	var count int64
 	err := database.conn.QueryRowContext(ctx,
 		`SELECT COUNT(*) FROM channel_members
 		 WHERE channel_id = ?`,
 		channelID,
 	).Scan(&count)
 	if err != nil {
 		return 0, fmt.Errorf(
 			"count channel members: %w", err,
 		)
 	}
 	return count, nil
 }
 // IsChannelOperator checks if a session has operator
 // status in a channel.
 func (database *Database) IsChannelOperator(
 	ctx context.Context,
 	channelID, sessionID int64,
 ) (bool, error) {
 	var isOp int
 	err := database.conn.QueryRowContext(ctx,
 		`SELECT is_operator FROM channel_members
 		 WHERE channel_id = ? AND session_id = ?`,
 		channelID, sessionID,
 	).Scan(&isOp)
 	if err != nil {
 		return false, fmt.Errorf(
 			"check channel operator: %w", err,
 		)
 	}
 	return isOp != 0, nil
 }
 // IsChannelVoiced checks if a session has voice status
 // in a channel.
 func (database *Database) IsChannelVoiced(
 	ctx context.Context,
 	channelID, sessionID int64,
 ) (bool, error) {
 	var isVoiced int
 	err := database.conn.QueryRowContext(ctx,
 		`SELECT is_voiced FROM channel_members
 		 WHERE channel_id = ? AND session_id = ?`,
 		channelID, sessionID,
 	).Scan(&isVoiced)
 	if err != nil {
 		return false, fmt.Errorf(
 			"check channel voiced: %w", err,
 		)
 	}
 	return isVoiced != 0, nil
 }
 // SetChannelMemberOperator sets or clears operator status
 // for a session in a channel.
 func (database *Database) SetChannelMemberOperator(
 	ctx context.Context,
 	channelID, sessionID int64,
 	isOp bool,
 ) error {
 	val := 0
 	if isOp {
 		val = 1
 	}
 	_, err := database.conn.ExecContext(ctx,
 		`UPDATE channel_members
 		 SET is_operator = ?
 		 WHERE channel_id = ? AND session_id = ?`,
 		val, channelID, sessionID)
 	if err != nil {
 		return fmt.Errorf(
 			"set channel member operator: %w", err,
 		)
 	}
 	return nil
 }
 // SetChannelMemberVoiced sets or clears voice status
 // for a session in a channel.
 func (database *Database) SetChannelMemberVoiced(
 	ctx context.Context,
 	channelID, sessionID int64,
 	isVoiced bool,
 ) error {
 	val := 0
 	if isVoiced {
 		val = 1
 	}
 	_, err := database.conn.ExecContext(ctx,
 		`UPDATE channel_members
 		 SET is_voiced = ?
 		 WHERE channel_id = ? AND session_id = ?`,
 		val, channelID, sessionID)
 	if err != nil {
 		return fmt.Errorf(
 			"set channel member voiced: %w", err,
 		)
 	}
 	return nil
 }
 // IsChannelModerated returns whether a channel has +m set.
 func (database *Database) IsChannelModerated(
 	ctx context.Context,
 	channelID int64,
 ) (bool, error) {
 	var isMod int
 	err := database.conn.QueryRowContext(ctx,
 		`SELECT is_moderated FROM channels
 		 WHERE id = ?`,
 		channelID,
 	).Scan(&isMod)
 	if err != nil {
 		return false, fmt.Errorf(
 			"check channel moderated: %w", err,
 		)
 	}
 	return isMod != 0, nil
 }
 // SetChannelModerated sets or clears +m on a channel.
 func (database *Database) SetChannelModerated(
 	ctx context.Context,
 	channelID int64,
 	moderated bool,
 ) error {
 	val := 0
 	if moderated {
 		val = 1
 	}
 	_, err := database.conn.ExecContext(ctx,
 		`UPDATE channels
 		 SET is_moderated = ?, updated_at = ?
 		 WHERE id = ?`,
 		val, time.Now(), channelID)
 	if err != nil {
 		return fmt.Errorf(
 			"set channel moderated: %w", err,
 		)
 	}
 	return nil
 }
 // IsChannelTopicLocked returns whether a channel has
 // +t set.
 func (database *Database) IsChannelTopicLocked(
 	ctx context.Context,
 	channelID int64,
 ) (bool, error) {
 	var isLocked int
 	err := database.conn.QueryRowContext(ctx,
 		`SELECT is_topic_locked FROM channels
 		 WHERE id = ?`,
 		channelID,
 	).Scan(&isLocked)
 	if err != nil {
 		return false, fmt.Errorf(
 			"check channel topic locked: %w", err,
 		)
 	}
 	return isLocked != 0, nil
 }
 // SetChannelTopicLocked sets or clears +t on a channel.
 func (database *Database) SetChannelTopicLocked(
 	ctx context.Context,
 	channelID int64,
 	locked bool,
 ) error {
 	val := 0
 	if locked {
 		val = 1
 	}
 	_, err := database.conn.ExecContext(ctx,
 		`UPDATE channels
 		 SET is_topic_locked = ?, updated_at = ?
 		 WHERE id = ?`,
 		val, time.Now(), channelID)
 	if err != nil {
 		return fmt.Errorf(
 			"set channel topic locked: %w", err,
 		)
 	}
 	return nil
 }
 // PartChannel removes a session from a channel.
 func (database *Database) PartChannel(
 	ctx context.Context,
@@ -781,8 +547,7 @@ func (database *Database) ChannelMembers(
 ) ([]MemberInfo, error) {
 	rows, err := database.conn.QueryContext(ctx,
 		`SELECT s.id, s.nick, s.username,
-		   s.hostname, cm.is_operator, cm.is_voiced,
+		   s.hostname, s.last_seen
 		   s.last_seen
 		 FROM sessions s
 		 INNER JOIN channel_members cm
 		   ON cm.session_id = s.id
@@ -799,16 +564,11 @@ func (database *Database) ChannelMembers(
 	var members []MemberInfo
 	for rows.Next() {
-		var (
+		var member MemberInfo
 			member MemberInfo
 			isOp   int
 			isV    int
 		)
 		err = rows.Scan(
 			&member.ID, &member.Nick,
 			&member.Username, &member.Hostname,
 			&isOp, &isV,
 			&member.LastSeen,
 		)
 		if err != nil {
@@ -817,9 +577,6 @@ func (database *Database) ChannelMembers(
 			)
 		}
 		member.IsOperator = isOp != 0
 		member.IsVoiced = isV != 0
 		members = append(members, member)
 	}
@@ -1836,663 +1593,3 @@ func (database *Database) PruneSpentHashcash(
 	return deleted, nil
 }
 // --- Tier 2: Ban system (+b) ---
 // BanInfo represents a channel ban entry.
 type BanInfo struct {
 	Mask      string
 	SetBy     string
 	CreatedAt time.Time
 }
 // AddChannelBan inserts a ban mask for a channel.
 func (database *Database) AddChannelBan(
 	ctx context.Context,
 	channelID int64,
 	mask, setBy string,
 ) error {
 	_, err := database.conn.ExecContext(ctx,
 		`INSERT OR IGNORE INTO channel_bans
 		 (channel_id, mask, set_by, created_at)
 		 VALUES (?, ?, ?, ?)`,
 		channelID, mask, setBy, time.Now())
 	if err != nil {
 		return fmt.Errorf("add channel ban: %w", err)
 	}
 	return nil
 }
 // RemoveChannelBan removes a ban mask from a channel.
 func (database *Database) RemoveChannelBan(
 	ctx context.Context,
 	channelID int64,
 	mask string,
 ) error {
 	_, err := database.conn.ExecContext(ctx,
 		`DELETE FROM channel_bans
 		 WHERE channel_id = ? AND mask = ?`,
 		channelID, mask)
 	if err != nil {
 		return fmt.Errorf("remove channel ban: %w", err)
 	}
 	return nil
 }
 // ListChannelBans returns all bans for a channel.
 //
 //nolint:dupl // different query+type vs filtered variant
 func (database *Database) ListChannelBans(
 	ctx context.Context,
 	channelID int64,
 ) ([]BanInfo, error) {
 	rows, err := database.conn.QueryContext(ctx,
 		`SELECT mask, set_by, created_at
 		 FROM channel_bans
 		 WHERE channel_id = ?
 		 ORDER BY created_at ASC`,
 		channelID)
 	if err != nil {
 		return nil, fmt.Errorf("list channel bans: %w", err)
 	}
 	defer func() { _ = rows.Close() }()
 	var bans []BanInfo
 	for rows.Next() {
 		var ban BanInfo
 		if scanErr := rows.Scan(
 			&ban.Mask, &ban.SetBy, &ban.CreatedAt,
 		); scanErr != nil {
 			return nil, fmt.Errorf(
 				"scan channel ban: %w", scanErr,
 			)
 		}
 		bans = append(bans, ban)
 	}
 	if rowErr := rows.Err(); rowErr != nil {
 		return nil, fmt.Errorf(
 			"iterate channel bans: %w", rowErr,
 		)
 	}
 	return bans, nil
 }
 // IsSessionBanned checks if a session's hostmask matches
 // any ban in the channel. Returns true if banned.
 func (database *Database) IsSessionBanned(
 	ctx context.Context,
 	channelID, sessionID int64,
 ) (bool, error) {
 	// Get the session's hostmask parts.
 	var nick, username, hostname string
 	err := database.conn.QueryRowContext(ctx,
 		`SELECT nick, username, hostname
 		 FROM sessions WHERE id = ?`,
 		sessionID,
 	).Scan(&nick, &username, &hostname)
 	if err != nil {
 		return false, fmt.Errorf(
 			"get session hostmask: %w", err,
 		)
 	}
 	hostmask := FormatHostmask(nick, username, hostname)
 	// Get all ban masks for the channel.
 	bans, banErr := database.ListChannelBans(ctx, channelID)
 	if banErr != nil {
 		return false, banErr
 	}
 	for _, ban := range bans {
 		if MatchBanMask(ban.Mask, hostmask) {
 			return true, nil
 		}
 	}
 	return false, nil
 }
 // MatchBanMask checks if hostmask matches a ban pattern
 // using IRC-style wildcard matching (* and ?).
 func MatchBanMask(pattern, hostmask string) bool {
 	return wildcardMatch(
 		strings.ToLower(pattern),
 		strings.ToLower(hostmask),
 	)
 }
 // wildcardMatch implements simple glob-style matching
 // with * (any sequence) and ? (any single character).
 func wildcardMatch(pattern, str string) bool {
 	for len(pattern) > 0 {
 		switch pattern[0] {
 		case '*':
 			// Skip consecutive asterisks.
 			for len(pattern) > 0 && pattern[0] == '*' {
 				pattern = pattern[1:]
 			}
 			if len(pattern) == 0 {
 				return true
 			}
 			for i := 0; i <= len(str); i++ {
 				if wildcardMatch(pattern, str[i:]) {
 					return true
 				}
 			}
 			return false
 		case '?':
 			if len(str) == 0 {
 				return false
 			}
 			pattern = pattern[1:]
 			str = str[1:]
 		default:
 			if len(str) == 0 || pattern[0] != str[0] {
 				return false
 			}
 			pattern = pattern[1:]
 			str = str[1:]
 		}
 	}
 	return len(str) == 0
 }
 // --- Tier 2: Invite-only (+i) ---
 // IsChannelInviteOnly checks if a channel has +i mode.
 func (database *Database) IsChannelInviteOnly(
 	ctx context.Context,
 	channelID int64,
 ) (bool, error) {
 	var isInviteOnly int
 	err := database.conn.QueryRowContext(ctx,
 		`SELECT is_invite_only FROM channels
 		 WHERE id = ?`,
 		channelID,
 	).Scan(&isInviteOnly)
 	if err != nil {
 		return false, fmt.Errorf(
 			"check invite only: %w", err,
 		)
 	}
 	return isInviteOnly != 0, nil
 }
 // SetChannelInviteOnly sets or unsets +i mode.
 func (database *Database) SetChannelInviteOnly(
 	ctx context.Context,
 	channelID int64,
 	inviteOnly bool,
 ) error {
 	val := 0
 	if inviteOnly {
 		val = 1
 	}
 	_, err := database.conn.ExecContext(ctx,
 		`UPDATE channels
 		 SET is_invite_only = ?, updated_at = ?
 		 WHERE id = ?`,
 		val, time.Now(), channelID)
 	if err != nil {
 		return fmt.Errorf(
 			"set invite only: %w", err,
 		)
 	}
 	return nil
 }
 // AddChannelInvite records that a session has been
 // invited to a channel.
 func (database *Database) AddChannelInvite(
 	ctx context.Context,
 	channelID, sessionID int64,
 	invitedBy string,
 ) error {
 	_, err := database.conn.ExecContext(ctx,
 		`INSERT OR IGNORE INTO channel_invites
 		 (channel_id, session_id, invited_by, created_at)
 		 VALUES (?, ?, ?, ?)`,
 		channelID, sessionID, invitedBy, time.Now())
 	if err != nil {
 		return fmt.Errorf("add channel invite: %w", err)
 	}
 	return nil
 }
 // HasChannelInvite checks if a session has been invited
 // to a channel.
 func (database *Database) HasChannelInvite(
 	ctx context.Context,
 	channelID, sessionID int64,
 ) (bool, error) {
 	var count int
 	err := database.conn.QueryRowContext(ctx,
 		`SELECT COUNT(*) FROM channel_invites
 		 WHERE channel_id = ? AND session_id = ?`,
 		channelID, sessionID,
 	).Scan(&count)
 	if err != nil {
 		return false, fmt.Errorf(
 			"check invite: %w", err,
 		)
 	}
 	return count > 0, nil
 }
 // ClearChannelInvite removes a session's invite to a
 // channel (called after successful JOIN).
 func (database *Database) ClearChannelInvite(
 	ctx context.Context,
 	channelID, sessionID int64,
 ) error {
 	_, err := database.conn.ExecContext(ctx,
 		`DELETE FROM channel_invites
 		 WHERE channel_id = ? AND session_id = ?`,
 		channelID, sessionID)
 	if err != nil {
 		return fmt.Errorf("clear invite: %w", err)
 	}
 	return nil
 }
 // --- Tier 2: Secret (+s) ---
 // IsChannelSecret checks if a channel has +s mode.
 func (database *Database) IsChannelSecret(
 	ctx context.Context,
 	channelID int64,
 ) (bool, error) {
 	var isSecret int
 	err := database.conn.QueryRowContext(ctx,
 		`SELECT is_secret FROM channels
 		 WHERE id = ?`,
 		channelID,
 	).Scan(&isSecret)
 	if err != nil {
 		return false, fmt.Errorf(
 			"check secret: %w", err,
 		)
 	}
 	return isSecret != 0, nil
 }
 // SetChannelSecret sets or unsets +s mode.
 func (database *Database) SetChannelSecret(
 	ctx context.Context,
 	channelID int64,
 	secret bool,
 ) error {
 	val := 0
 	if secret {
 		val = 1
 	}
 	_, err := database.conn.ExecContext(ctx,
 		`UPDATE channels
 		 SET is_secret = ?, updated_at = ?
 		 WHERE id = ?`,
 		val, time.Now(), channelID)
 	if err != nil {
 		return fmt.Errorf("set secret: %w", err)
 	}
 	return nil
 }
 // ListAllChannelsWithCountsFiltered returns all channels
 // with member counts, excluding secret channels that
 // the given session is not a member of.
 //
 //nolint:dupl // different query+type vs ListChannelBans
 func (database *Database) ListAllChannelsWithCountsFiltered(
 	ctx context.Context,
 	sessionID int64,
 ) ([]ChannelInfoFull, error) {
 	rows, err := database.conn.QueryContext(ctx,
 		`SELECT c.name, COUNT(cm.id) AS member_count,
 		        c.topic
 		 FROM channels c
 		 LEFT JOIN channel_members cm
 		   ON cm.channel_id = c.id
 		 WHERE c.is_secret = 0
 		    OR c.id IN (
 		       SELECT channel_id FROM channel_members
 		       WHERE session_id = ?
 		    )
 		 GROUP BY c.id
 		 ORDER BY c.name ASC`,
 		sessionID)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"list channels filtered: %w", err,
 		)
 	}
 	defer func() { _ = rows.Close() }()
 	var channels []ChannelInfoFull
 	for rows.Next() {
 		var chanInfo ChannelInfoFull
 		if scanErr := rows.Scan(
 			&chanInfo.Name,
 			&chanInfo.MemberCount,
 			&chanInfo.Topic,
 		); scanErr != nil {
 			return nil, fmt.Errorf(
 				"scan channel: %w", scanErr,
 			)
 		}
 		channels = append(channels, chanInfo)
 	}
 	if rowErr := rows.Err(); rowErr != nil {
 		return nil, fmt.Errorf(
 			"iterate channels: %w", rowErr,
 		)
 	}
 	return channels, nil
 }
 // GetSessionChannelsFiltered returns channels a session
 // belongs to, optionally excluding secret channels for
 // WHOIS (when the querier is not in the same channel).
 // If querierID == targetID, returns all channels.
 func (database *Database) GetSessionChannelsFiltered(
 	ctx context.Context,
 	targetSID, querierSID int64,
 ) ([]ChannelInfo, error) {
 	// If querying yourself, return all channels.
 	if targetSID == querierSID {
 		return database.GetSessionChannels(ctx, targetSID)
 	}
 	rows, err := database.conn.QueryContext(ctx,
 		`SELECT c.id, c.name, c.topic
 		 FROM channels c
 		 JOIN channel_members cm
 		   ON cm.channel_id = c.id
 		 WHERE cm.session_id = ?
 		   AND (c.is_secret = 0
 		        OR c.id IN (
 		           SELECT channel_id FROM channel_members
 		           WHERE session_id = ?
 		        ))
 		 ORDER BY c.name ASC`,
 		targetSID, querierSID)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"get session channels filtered: %w", err,
 		)
 	}
 	defer func() { _ = rows.Close() }()
 	var channels []ChannelInfo
 	for rows.Next() {
 		var chanInfo ChannelInfo
 		if scanErr := rows.Scan(
 			&chanInfo.ID,
 			&chanInfo.Name,
 			&chanInfo.Topic,
 		); scanErr != nil {
 			return nil, fmt.Errorf(
 				"scan channel: %w", scanErr,
 			)
 		}
 		channels = append(channels, chanInfo)
 	}
 	if rowErr := rows.Err(); rowErr != nil {
 		return nil, fmt.Errorf(
 			"iterate channels: %w", rowErr,
 		)
 	}
 	return channels, nil
 }
 // --- Tier 2: Channel Key (+k) ---
 // GetChannelKey returns the key for a channel (empty
 // string means no key set).
 func (database *Database) GetChannelKey(
 	ctx context.Context,
 	channelID int64,
 ) (string, error) {
 	var key string
 	err := database.conn.QueryRowContext(ctx,
 		`SELECT channel_key FROM channels
 		 WHERE id = ?`,
 		channelID,
 	).Scan(&key)
 	if err != nil {
 		return "", fmt.Errorf("get channel key: %w", err)
 	}
 	return key, nil
 }
 // SetChannelKey sets or clears the key for a channel.
 func (database *Database) SetChannelKey(
 	ctx context.Context,
 	channelID int64,
 	key string,
 ) error {
 	_, err := database.conn.ExecContext(ctx,
 		`UPDATE channels
 		 SET channel_key = ?, updated_at = ?
 		 WHERE id = ?`,
 		key, time.Now(), channelID)
 	if err != nil {
 		return fmt.Errorf("set channel key: %w", err)
 	}
 	return nil
 }
 // --- Tier 2: User Limit (+l) ---
 // GetChannelUserLimit returns the user limit for a
 // channel (0 means no limit).
 func (database *Database) GetChannelUserLimit(
 	ctx context.Context,
 	channelID int64,
 ) (int, error) {
 	var limit int
 	err := database.conn.QueryRowContext(ctx,
 		`SELECT user_limit FROM channels
 		 WHERE id = ?`,
 		channelID,
 	).Scan(&limit)
 	if err != nil {
 		return 0, fmt.Errorf(
 			"get channel user limit: %w", err,
 		)
 	}
 	return limit, nil
 }
 // SetChannelUserLimit sets the user limit for a channel.
 func (database *Database) SetChannelUserLimit(
 	ctx context.Context,
 	channelID int64,
 	limit int,
 ) error {
 	_, err := database.conn.ExecContext(ctx,
 		`UPDATE channels
 		 SET user_limit = ?, updated_at = ?
 		 WHERE id = ?`,
 		limit, time.Now(), channelID)
 	if err != nil {
 		return fmt.Errorf(
 			"set channel user limit: %w", err,
 		)
 	}
 	return nil
 }
 // SetSessionWallops sets the wallops (+w) flag on a
 // session.
 func (database *Database) SetSessionWallops(
 	ctx context.Context,
 	sessionID int64,
 	enabled bool,
 ) error {
 	val := 0
 	if enabled {
 		val = 1
 	}
 	_, err := database.conn.ExecContext(
 		ctx,
 		`UPDATE sessions SET is_wallops = ? WHERE id = ?`,
 		val, sessionID,
 	)
 	if err != nil {
 		return fmt.Errorf("set session wallops: %w", err)
 	}
 	return nil
 }
 // IsSessionWallops returns whether the session has the
 // wallops (+w) usermode set.
 func (database *Database) IsSessionWallops(
 	ctx context.Context,
 	sessionID int64,
 ) (bool, error) {
 	var isWallops int
 	err := database.conn.QueryRowContext(
 		ctx,
 		`SELECT is_wallops FROM sessions WHERE id = ?`,
 		sessionID,
 	).Scan(&isWallops)
 	if err != nil {
 		return false, fmt.Errorf(
 			"check session wallops: %w", err,
 		)
 	}
 	return isWallops != 0, nil
 }
 // GetWallopsSessionIDs returns all session IDs that have
 // the wallops (+w) usermode set.
 func (database *Database) GetWallopsSessionIDs(
 	ctx context.Context,
 ) ([]int64, error) {
 	rows, err := database.conn.QueryContext(
 		ctx,
 		`SELECT id FROM sessions WHERE is_wallops = 1`,
 	)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"get wallops sessions: %w", err,
 		)
 	}
 	defer func() { _ = rows.Close() }()
 	var ids []int64
 	for rows.Next() {
 		var sessionID int64
 		if scanErr := rows.Scan(&sessionID); scanErr != nil {
 			return nil, fmt.Errorf(
 				"scan wallops session: %w", scanErr,
 			)
 		}
 		ids = append(ids, sessionID)
 	}
 	if err := rows.Err(); err != nil {
 		return nil, fmt.Errorf(
 			"iterate wallops sessions: %w", err,
 		)
 	}
 	return ids, nil
 }
 // UserhostInfo holds the data needed for RPL_USERHOST.
 type UserhostInfo struct {
 	Nick        string
 	Username    string
 	Hostname    string
 	IsOper      bool
 	AwayMessage string
 }
 // GetUserhostInfo returns USERHOST info for the given
 // nicks. Only nicks that exist are returned.
 func (database *Database) GetUserhostInfo(
 	ctx context.Context,
 	nicks []string,
 ) ([]UserhostInfo, error) {
 	if len(nicks) == 0 {
 		return nil, nil
 	}
 	results := make([]UserhostInfo, 0, len(nicks))
 	for _, nick := range nicks {
 		var info UserhostInfo
 		err := database.conn.QueryRowContext(
 			ctx,
 			`SELECT nick, username, hostname,
 			        is_oper, away_message
 			 FROM sessions WHERE nick = ?`,
 			nick,
 		).Scan(
 			&info.Nick, &info.Username, &info.Hostname,
 			&info.IsOper, &info.AwayMessage,
 		)
 		if err != nil {
 			continue // nick not found, skip
 		}
 		results = append(results, info)
 	}
 	return results, nil
 }
--- a/internal/db/queries_test.go
+++ b/internal/db/queries_test.go
@@ -1017,474 +1017,3 @@ func TestGetOperCount(t *testing.T) {
 		t.Fatalf("expected 1 oper, got %d", count)
 	}
 }
 // --- Tier 2 Tests ---
 func TestWildcardMatch(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		pattern string
 		input   string
 		match   bool
 	}{
 		{"*!*@*", "nick!user@host", true},
 		{"*!*@*.example.com", "nick!user@foo.example.com", true},
 		{"*!*@*.example.com", "nick!user@other.net", false},
 		{"badnick!*@*", "badnick!user@host", true},
 		{"badnick!*@*", "goodnick!user@host", false},
 		{"nick!user@host", "nick!user@host", true},
 		{"nick!user@host", "nick!user@other", false},
 		{"*", "anything", true},
 		{"?ick!*@*", "nick!user@host", true},
 		{"?ick!*@*", "nn!user@host", false},
 		// Case-insensitive.
 		{"Nick!*@*", "nick!user@host", true},
 	}
 	for _, tc := range tests {
 		result := db.MatchBanMask(tc.pattern, tc.input)
 		if result != tc.match {
 			t.Errorf(
 				"MatchBanMask(%q, %q) = %v, want %v",
 				tc.pattern, tc.input, result, tc.match,
 			)
 		}
 	}
 }
 func TestChannelBanCRUD(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
 	chID, err := database.GetOrCreateChannel(ctx, "#test")
 	if err != nil {
 		t.Fatal(err)
 	}
 	// No bans initially.
 	bans, err := database.ListChannelBans(ctx, chID)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if len(bans) != 0 {
 		t.Fatalf("expected 0 bans, got %d", len(bans))
 	}
 	// Add a ban.
 	err = database.AddChannelBan(
 		ctx, chID, "*!*@evil.com", "op",
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	bans, err = database.ListChannelBans(ctx, chID)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if len(bans) != 1 {
 		t.Fatalf("expected 1 ban, got %d", len(bans))
 	}
 	if bans[0].Mask != "*!*@evil.com" {
 		t.Fatalf("wrong mask: %s", bans[0].Mask)
 	}
 	// Duplicate add is ignored (OR IGNORE).
 	err = database.AddChannelBan(
 		ctx, chID, "*!*@evil.com", "op2",
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	bans, _ = database.ListChannelBans(ctx, chID)
 	if len(bans) != 1 {
 		t.Fatalf("expected 1 ban after dup, got %d", len(bans))
 	}
 	// Remove ban.
 	err = database.RemoveChannelBan(
 		ctx, chID, "*!*@evil.com",
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	bans, _ = database.ListChannelBans(ctx, chID)
 	if len(bans) != 0 {
 		t.Fatalf("expected 0 bans after remove, got %d", len(bans))
 	}
 }
 func TestIsSessionBanned(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
 	sid, _, _, err := database.CreateSession(
 		ctx, "victim", "victim", "evil.com", "",
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	chID, err := database.GetOrCreateChannel(ctx, "#bantest")
 	if err != nil {
 		t.Fatal(err)
 	}
 	// Not banned initially.
 	banned, err := database.IsSessionBanned(ctx, chID, sid)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if banned {
 		t.Fatal("should not be banned initially")
 	}
 	// Add ban matching the hostmask.
 	err = database.AddChannelBan(
 		ctx, chID, "*!*@evil.com", "op",
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	banned, err = database.IsSessionBanned(ctx, chID, sid)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if !banned {
 		t.Fatal("should be banned")
 	}
 }
 func TestChannelInviteOnly(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
 	chID, err := database.GetOrCreateChannel(ctx, "#invite")
 	if err != nil {
 		t.Fatal(err)
 	}
 	// Default: not invite-only.
 	isIO, err := database.IsChannelInviteOnly(ctx, chID)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if isIO {
 		t.Fatal("should not be invite-only by default")
 	}
 	// Set invite-only.
 	err = database.SetChannelInviteOnly(ctx, chID, true)
 	if err != nil {
 		t.Fatal(err)
 	}
 	isIO, _ = database.IsChannelInviteOnly(ctx, chID)
 	if !isIO {
 		t.Fatal("should be invite-only")
 	}
 	// Unset.
 	err = database.SetChannelInviteOnly(ctx, chID, false)
 	if err != nil {
 		t.Fatal(err)
 	}
 	isIO, _ = database.IsChannelInviteOnly(ctx, chID)
 	if isIO {
 		t.Fatal("should not be invite-only")
 	}
 }
 func TestChannelInviteCRUD(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
 	sid, _, _, err := database.CreateSession(
 		ctx, "invited", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	chID, err := database.GetOrCreateChannel(ctx, "#inv")
 	if err != nil {
 		t.Fatal(err)
 	}
 	// No invite initially.
 	has, err := database.HasChannelInvite(ctx, chID, sid)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if has {
 		t.Fatal("should not have invite")
 	}
 	// Add invite.
 	err = database.AddChannelInvite(ctx, chID, sid, "op")
 	if err != nil {
 		t.Fatal(err)
 	}
 	has, _ = database.HasChannelInvite(ctx, chID, sid)
 	if !has {
 		t.Fatal("should have invite")
 	}
 	// Clear invite.
 	err = database.ClearChannelInvite(ctx, chID, sid)
 	if err != nil {
 		t.Fatal(err)
 	}
 	has, _ = database.HasChannelInvite(ctx, chID, sid)
 	if has {
 		t.Fatal("invite should be cleared")
 	}
 }
 func TestChannelSecret(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
 	chID, err := database.GetOrCreateChannel(ctx, "#secret")
 	if err != nil {
 		t.Fatal(err)
 	}
 	// Default: not secret.
 	isSec, err := database.IsChannelSecret(ctx, chID)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if isSec {
 		t.Fatal("should not be secret by default")
 	}
 	err = database.SetChannelSecret(ctx, chID, true)
 	if err != nil {
 		t.Fatal(err)
 	}
 	isSec, _ = database.IsChannelSecret(ctx, chID)
 	if !isSec {
 		t.Fatal("should be secret")
 	}
 }
 // createTestSession is a helper to create a session and
 // return only the session ID.
 func createTestSession(
 	t *testing.T,
 	database *db.Database,
 	nick string,
 ) int64 {
 	t.Helper()
 	sid, _, _, err := database.CreateSession(
 		t.Context(), nick, "", "", "",
 	)
 	if err != nil {
 		t.Fatalf("create session %s: %v", nick, err)
 	}
 	return sid
 }
 func TestSecretChannelFiltering(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
 	// Create two sessions.
 	sid1 := createTestSession(t, database, "member")
 	sid2 := createTestSession(t, database, "outsider")
 	// Create a secret channel.
 	chID, _ := database.GetOrCreateChannel(ctx, "#secret")
 	_ = database.SetChannelSecret(ctx, chID, true)
 	_ = database.JoinChannel(ctx, chID, sid1)
 	// Create a non-secret channel.
 	chID2, _ := database.GetOrCreateChannel(ctx, "#public")
 	_ = database.JoinChannel(ctx, chID2, sid1)
 	// Member should see both.
 	list, err := database.ListAllChannelsWithCountsFiltered(
 		ctx, sid1,
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if len(list) != 2 {
 		t.Fatalf("member should see 2 channels, got %d", len(list))
 	}
 	// Outsider should only see public.
 	list, _ = database.ListAllChannelsWithCountsFiltered(
 		ctx, sid2,
 	)
 	if len(list) != 1 {
 		t.Fatalf("outsider should see 1 channel, got %d", len(list))
 	}
 	if list[0].Name != "#public" {
 		t.Fatalf("outsider should see #public, got %s", list[0].Name)
 	}
 }
 func TestWhoisChannelFiltering(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
 	sid1 := createTestSession(t, database, "target")
 	sid2 := createTestSession(t, database, "querier")
 	// Create secret channel, target joins it.
 	chID, _ := database.GetOrCreateChannel(ctx, "#hidden")
 	_ = database.SetChannelSecret(ctx, chID, true)
 	_ = database.JoinChannel(ctx, chID, sid1)
 	// Querier (non-member) should not see the channel.
 	channels, err := database.GetSessionChannelsFiltered(
 		ctx, sid1, sid2,
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if len(channels) != 0 {
 		t.Fatalf(
 			"querier should see 0 channels, got %d",
 			len(channels),
 		)
 	}
 	// Target querying self should see it.
 	channels, _ = database.GetSessionChannelsFiltered(
 		ctx, sid1, sid1,
 	)
 	if len(channels) != 1 {
 		t.Fatalf(
 			"self-query should see 1 channel, got %d",
 			len(channels),
 		)
 	}
 }
 //nolint:dupl // structurally similar to TestChannelUserLimit
 func TestChannelKey(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
 	chID, err := database.GetOrCreateChannel(ctx, "#keyed")
 	if err != nil {
 		t.Fatal(err)
 	}
 	// Default: no key.
 	key, err := database.GetChannelKey(ctx, chID)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if key != "" {
 		t.Fatalf("expected empty key, got %q", key)
 	}
 	// Set key.
 	err = database.SetChannelKey(ctx, chID, "secret123")
 	if err != nil {
 		t.Fatal(err)
 	}
 	key, _ = database.GetChannelKey(ctx, chID)
 	if key != "secret123" {
 		t.Fatalf("expected secret123, got %q", key)
 	}
 	// Clear key.
 	err = database.SetChannelKey(ctx, chID, "")
 	if err != nil {
 		t.Fatal(err)
 	}
 	key, _ = database.GetChannelKey(ctx, chID)
 	if key != "" {
 		t.Fatalf("expected empty key, got %q", key)
 	}
 }
 //nolint:dupl // structurally similar to TestChannelKey
 func TestChannelUserLimit(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
 	chID, err := database.GetOrCreateChannel(ctx, "#limited")
 	if err != nil {
 		t.Fatal(err)
 	}
 	// Default: no limit.
 	limit, err := database.GetChannelUserLimit(ctx, chID)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if limit != 0 {
 		t.Fatalf("expected 0 limit, got %d", limit)
 	}
 	// Set limit.
 	err = database.SetChannelUserLimit(ctx, chID, 50)
 	if err != nil {
 		t.Fatal(err)
 	}
 	limit, _ = database.GetChannelUserLimit(ctx, chID)
 	if limit != 50 {
 		t.Fatalf("expected 50, got %d", limit)
 	}
 	// Clear limit.
 	err = database.SetChannelUserLimit(ctx, chID, 0)
 	if err != nil {
 		t.Fatal(err)
 	}
 	limit, _ = database.GetChannelUserLimit(ctx, chID)
 	if limit != 0 {
 		t.Fatalf("expected 0, got %d", limit)
 	}
 }
--- a/internal/db/schema/001_initial.sql
+++ b/internal/db/schema/001_initial.sql
@@ -10,7 +10,6 @@ CREATE TABLE IF NOT EXISTS sessions (
    hostname TEXT NOT NULL DEFAULT '',
    ip TEXT NOT NULL DEFAULT '',
    is_oper INTEGER NOT NULL DEFAULT 0,
    is_wallops INTEGER NOT NULL DEFAULT 0,
    password_hash TEXT NOT NULL DEFAULT '',
    signing_key TEXT NOT NULL DEFAULT '',
    away_message TEXT NOT NULL DEFAULT '',
@@ -41,45 +40,15 @@ CREATE TABLE IF NOT EXISTS channels (
    topic_set_by TEXT NOT NULL DEFAULT '',
    topic_set_at DATETIME,
    hashcash_bits INTEGER NOT NULL DEFAULT 0,
    is_moderated INTEGER NOT NULL DEFAULT 0,
    is_topic_locked INTEGER NOT NULL DEFAULT 1,
    is_invite_only INTEGER NOT NULL DEFAULT 0,
    is_secret INTEGER NOT NULL DEFAULT 0,
    channel_key TEXT NOT NULL DEFAULT '',
    user_limit INTEGER NOT NULL DEFAULT 0,
    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
    updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
 );
 -- Channel bans
 CREATE TABLE IF NOT EXISTS channel_bans (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    channel_id INTEGER NOT NULL REFERENCES channels(id) ON DELETE CASCADE,
    mask TEXT NOT NULL,
    set_by TEXT NOT NULL,
    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
    UNIQUE(channel_id, mask)
 );
 CREATE INDEX IF NOT EXISTS idx_channel_bans_channel ON channel_bans(channel_id);
 -- Channel invites (in-memory would be simpler but DB survives restarts)
 CREATE TABLE IF NOT EXISTS channel_invites (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    channel_id INTEGER NOT NULL REFERENCES channels(id) ON DELETE CASCADE,
    session_id INTEGER NOT NULL REFERENCES sessions(id) ON DELETE CASCADE,
    invited_by TEXT NOT NULL DEFAULT '',
    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
    UNIQUE(channel_id, session_id)
 );
 CREATE INDEX IF NOT EXISTS idx_channel_invites_channel ON channel_invites(channel_id);
 -- Channel members
 CREATE TABLE IF NOT EXISTS channel_members (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    channel_id INTEGER NOT NULL REFERENCES channels(id) ON DELETE CASCADE,
    session_id INTEGER NOT NULL REFERENCES sessions(id) ON DELETE CASCADE,
    is_operator INTEGER NOT NULL DEFAULT 0,
    is_voiced INTEGER NOT NULL DEFAULT 0,
    joined_at DATETIME DEFAULT CURRENT_TIMESTAMP,
    UNIQUE(channel_id, session_id)
 );
--- a/internal/handlers/api.go
+++ b/internal/handlers/api.go
--- a/internal/handlers/api_test.go
+++ b/internal/handlers/api_test.go
--- a/internal/handlers/auth.go
+++ b/internal/handlers/auth.go
@@ -28,21 +28,6 @@ func (hdlr *Handlers) handleLogin(
 	writer http.ResponseWriter,
 	request *http.Request,
 ) {
 	ip := clientIP(request)
 	if !hdlr.loginLimiter.Allow(ip) {
 		writer.Header().Set(
 			"Retry-After", "1",
 		)
 		hdlr.respondError(
 			writer, request,
 			"too many login attempts, try again later",
 			http.StatusTooManyRequests,
 		)
 		return
 	}
 	type loginRequest struct {
 		Nick     string `json:"nick"`
 		Password string `json:"password"`
@@ -73,16 +58,6 @@ func (hdlr *Handlers) handleLogin(
 		return
 	}
 	hdlr.executeLogin(
 		writer, request, payload.Nick, payload.Password,
 	)
 }
 func (hdlr *Handlers) executeLogin(
 	writer http.ResponseWriter,
 	request *http.Request,
 	nick, password string,
 ) {
 	remoteIP := clientIP(request)
 	hostname := resolveHostname(
@@ -92,7 +67,8 @@ func (hdlr *Handlers) executeLogin(
 	sessionID, clientID, token, err :=
 		hdlr.params.Database.LoginUser(
 			request.Context(),
-			nick, password,
+			payload.Nick,
 			payload.Password,
 			remoteIP, hostname,
 		)
 	if err != nil {
@@ -108,20 +84,20 @@ func (hdlr *Handlers) executeLogin(
 	hdlr.stats.IncrConnections()
 	hdlr.deliverMOTD(
-		request, clientID, sessionID, nick,
+		request, clientID, sessionID, payload.Nick,
 	)
 	// Initialize channel state so the new client knows
 	// which channels the session already belongs to.
 	hdlr.initChannelState(
-		request, clientID, sessionID, nick,
+		request, clientID, sessionID, payload.Nick,
 	)
 	hdlr.setAuthCookie(writer, request, token)
 	hdlr.respondJSON(writer, request, map[string]any{
 		"id":   sessionID,
-		"nick": nick,
+		"nick": payload.Nick,
 	}, http.StatusOK)
 }
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -16,7 +16,6 @@ import (
 	"git.eeqj.de/sneak/neoirc/internal/hashcash"
 	"git.eeqj.de/sneak/neoirc/internal/healthcheck"
 	"git.eeqj.de/sneak/neoirc/internal/logger"
 	"git.eeqj.de/sneak/neoirc/internal/ratelimit"
 	"git.eeqj.de/sneak/neoirc/internal/stats"
 	"go.uber.org/fx"
 )
@@ -50,7 +49,6 @@ type Handlers struct {
 	broker          *broker.Broker
 	hashcashVal     *hashcash.Validator
 	channelHashcash *hashcash.ChannelValidator
 	loginLimiter    *ratelimit.Limiter
 	stats           *stats.Tracker
 	cancelCleanup   context.CancelFunc
 }
@@ -65,16 +63,6 @@ func New(
 		resource = "neoirc"
 	}
 	loginRate := params.Config.LoginRateLimit
 	if loginRate <= 0 {
 		loginRate = ratelimit.DefaultRate
 	}
 	loginBurst := params.Config.LoginRateBurst
 	if loginBurst <= 0 {
 		loginBurst = ratelimit.DefaultBurst
 	}
 	hdlr := &Handlers{ //nolint:exhaustruct // cancelCleanup set in startCleanup
 		params:          &params,
 		log:             params.Logger.Get(),
@@ -82,7 +70,6 @@ func New(
 		broker:          broker.New(),
 		hashcashVal:     hashcash.NewValidator(resource),
 		channelHashcash: hashcash.NewChannelValidator(),
 		loginLimiter:    ratelimit.New(loginRate, loginBurst),
 		stats:           params.Stats,
 	}
@@ -175,10 +162,6 @@ func (hdlr *Handlers) stopCleanup() {
 	if hdlr.cancelCleanup != nil {
 		hdlr.cancelCleanup()
 	}
 	if hdlr.loginLimiter != nil {
 		hdlr.loginLimiter.Stop()
 	}
 }
 func (hdlr *Handlers) cleanupLoop(ctx context.Context) {
--- a/internal/handlers/utility.go
+++ b/internal/handlers/utility.go
@@ -1,727 +0,0 @@
 package handlers
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"strings"
 	"time"
 	"git.eeqj.de/sneak/neoirc/internal/db"
 	"git.eeqj.de/sneak/neoirc/pkg/irc"
 )
 // maxUserhostNicks is the maximum number of nicks allowed
 // in a single USERHOST query (RFC 2812).
 const maxUserhostNicks = 5
 // dispatchBodyOnlyCommand routes commands that take
 // (writer, request, sessionID, clientID, nick, bodyLines).
 func (hdlr *Handlers) dispatchBodyOnlyCommand(
 	writer http.ResponseWriter,
 	request *http.Request,
 	sessionID, clientID int64,
 	nick, command string,
 	bodyLines func() []string,
 ) {
 	switch command {
 	case irc.CmdAway:
 		hdlr.handleAway(
 			writer, request,
 			sessionID, clientID, nick, bodyLines,
 		)
 	case irc.CmdNick:
 		hdlr.handleNick(
 			writer, request,
 			sessionID, clientID, nick, bodyLines,
 		)
 	case irc.CmdPass:
 		hdlr.handlePass(
 			writer, request,
 			sessionID, clientID, nick, bodyLines,
 		)
 	case irc.CmdInvite:
 		hdlr.handleInvite(
 			writer, request,
 			sessionID, clientID, nick, bodyLines,
 		)
 	}
 }
 // dispatchOperCommand routes oper-related commands (OPER,
 // KILL, WALLOPS) to their handlers.
 func (hdlr *Handlers) dispatchOperCommand(
 	writer http.ResponseWriter,
 	request *http.Request,
 	sessionID, clientID int64,
 	nick, command string,
 	bodyLines func() []string,
 ) {
 	switch command {
 	case irc.CmdOper:
 		hdlr.handleOper(
 			writer, request,
 			sessionID, clientID, nick, bodyLines,
 		)
 	case irc.CmdKill:
 		hdlr.handleKill(
 			writer, request,
 			sessionID, clientID, nick, bodyLines,
 		)
 	case irc.CmdWallops:
 		hdlr.handleWallops(
 			writer, request,
 			sessionID, clientID, nick, bodyLines,
 		)
 	}
 }
 // handleUserhost handles the USERHOST command.
 // Returns user@host info for up to 5 nicks.
 func (hdlr *Handlers) handleUserhost(
 	writer http.ResponseWriter,
 	request *http.Request,
 	sessionID, clientID int64,
 	nick string,
 	bodyLines func() []string,
 ) {
 	ctx := request.Context()
 	lines := bodyLines()
 	if len(lines) == 0 {
 		hdlr.respondIRCError(
 			writer, request, clientID, sessionID,
 			irc.ErrNeedMoreParams, nick,
 			[]string{irc.CmdUserhost},
 			"Not enough parameters",
 		)
 		return
 	}
 	// Limit to 5 nicks per RFC 2812.
 	nicks := lines
 	if len(nicks) > maxUserhostNicks {
 		nicks = nicks[:maxUserhostNicks]
 	}
 	infos, err := hdlr.params.Database.GetUserhostInfo(
 		ctx, nicks,
 	)
 	if err != nil {
 		hdlr.log.Error(
 			"userhost query failed", "error", err,
 		)
 		hdlr.respondError(
 			writer, request,
 			"internal error",
 			http.StatusInternalServerError,
 		)
 		return
 	}
 	replyStr := hdlr.buildUserhostReply(infos)
 	hdlr.enqueueNumeric(
 		ctx, clientID, irc.RplUserHost, nick, nil,
 		replyStr,
 	)
 	hdlr.broker.Notify(sessionID)
 	hdlr.respondJSON(writer, request,
 		map[string]string{"status": "ok"},
 		http.StatusOK)
 }
 // buildUserhostReply builds the RPL_USERHOST reply
 // string per RFC 2812.
 func (hdlr *Handlers) buildUserhostReply(
 	infos []db.UserhostInfo,
 ) string {
 	replies := make([]string, 0, len(infos))
 	for idx := range infos {
 		info := &infos[idx]
 		username := info.Username
 		if username == "" {
 			username = info.Nick
 		}
 		hostname := info.Hostname
 		if hostname == "" {
 			hostname = hdlr.serverName()
 		}
 		operStar := ""
 		if info.IsOper {
 			operStar = "*"
 		}
 		awayPrefix := "+"
 		if info.AwayMessage != "" {
 			awayPrefix = "-"
 		}
 		replies = append(replies,
 			info.Nick+operStar+"="+
 				awayPrefix+username+"@"+hostname,
 		)
 	}
 	return strings.Join(replies, " ")
 }
 // handleVersion handles the VERSION command.
 // Returns the server version string.
 func (hdlr *Handlers) handleVersion(
 	writer http.ResponseWriter,
 	request *http.Request,
 	sessionID, clientID int64,
 	nick string,
 ) {
 	ctx := request.Context()
 	srvName := hdlr.serverName()
 	version := hdlr.serverVersion()
 	// 351 RPL_VERSION
 	hdlr.enqueueNumeric(
 		ctx, clientID, irc.RplVersion, nick,
 		[]string{version + ".", srvName},
 		"",
 	)
 	hdlr.broker.Notify(sessionID)
 	hdlr.respondJSON(writer, request,
 		map[string]string{"status": "ok"},
 		http.StatusOK)
 }
 // handleAdmin handles the ADMIN command.
 // Returns server admin contact info.
 func (hdlr *Handlers) handleAdmin(
 	writer http.ResponseWriter,
 	request *http.Request,
 	sessionID, clientID int64,
 	nick string,
 ) {
 	ctx := request.Context()
 	srvName := hdlr.serverName()
 	// 256 RPL_ADMINME
 	hdlr.enqueueNumeric(
 		ctx, clientID, irc.RplAdminMe, nick,
 		[]string{srvName},
 		"Administrative info",
 	)
 	// 257 RPL_ADMINLOC1
 	hdlr.enqueueNumeric(
 		ctx, clientID, irc.RplAdminLoc1, nick, nil,
 		"neoirc server",
 	)
 	// 258 RPL_ADMINLOC2
 	hdlr.enqueueNumeric(
 		ctx, clientID, irc.RplAdminLoc2, nick, nil,
 		"IRC over HTTP",
 	)
 	// 259 RPL_ADMINEMAIL
 	hdlr.enqueueNumeric(
 		ctx, clientID, irc.RplAdminEmail, nick, nil,
 		"admin@"+srvName,
 	)
 	hdlr.broker.Notify(sessionID)
 	hdlr.respondJSON(writer, request,
 		map[string]string{"status": "ok"},
 		http.StatusOK)
 }
 // handleInfo handles the INFO command.
 // Returns server software information.
 func (hdlr *Handlers) handleInfo(
 	writer http.ResponseWriter,
 	request *http.Request,
 	sessionID, clientID int64,
 	nick string,
 ) {
 	ctx := request.Context()
 	version := hdlr.serverVersion()
 	infoLines := []string{
 		"neoirc — IRC semantics over HTTP",
 		"Version: " + version,
 		"Written in Go",
 		"Started: " +
 			hdlr.params.Globals.StartTime.
 				Format(time.RFC1123),
 	}
 	for _, line := range infoLines {
 		// 371 RPL_INFO
 		hdlr.enqueueNumeric(
 			ctx, clientID, irc.RplInfo, nick, nil,
 			line,
 		)
 	}
 	// 374 RPL_ENDOFINFO
 	hdlr.enqueueNumeric(
 		ctx, clientID, irc.RplEndOfInfo, nick, nil,
 		"End of /INFO list",
 	)
 	hdlr.broker.Notify(sessionID)
 	hdlr.respondJSON(writer, request,
 		map[string]string{"status": "ok"},
 		http.StatusOK)
 }
 // handleTime handles the TIME command.
 // Returns the server's local time in RFC format.
 func (hdlr *Handlers) handleTime(
 	writer http.ResponseWriter,
 	request *http.Request,
 	sessionID, clientID int64,
 	nick string,
 ) {
 	ctx := request.Context()
 	srvName := hdlr.serverName()
 	// 391 RPL_TIME
 	hdlr.enqueueNumeric(
 		ctx, clientID, irc.RplTime, nick,
 		[]string{srvName},
 		time.Now().Format(time.RFC1123),
 	)
 	hdlr.broker.Notify(sessionID)
 	hdlr.respondJSON(writer, request,
 		map[string]string{"status": "ok"},
 		http.StatusOK)
 }
 // handleKill handles the KILL command.
 // Forcibly disconnects a user (oper only).
 func (hdlr *Handlers) handleKill(
 	writer http.ResponseWriter,
 	request *http.Request,
 	sessionID, clientID int64,
 	nick string,
 	bodyLines func() []string,
 ) {
 	ctx := request.Context()
 	// Check oper status.
 	isOper, err := hdlr.params.Database.IsSessionOper(
 		ctx, sessionID,
 	)
 	if err != nil || !isOper {
 		hdlr.respondIRCError(
 			writer, request, clientID, sessionID,
 			irc.ErrNoPrivileges, nick, nil,
 			"Permission Denied- You're not an IRC operator",
 		)
 		return
 	}
 	lines := bodyLines()
 	if len(lines) == 0 {
 		hdlr.respondIRCError(
 			writer, request, clientID, sessionID,
 			irc.ErrNeedMoreParams, nick,
 			[]string{irc.CmdKill},
 			"Not enough parameters",
 		)
 		return
 	}
 	targetNick := strings.TrimSpace(lines[0])
 	if targetNick == "" {
 		hdlr.respondIRCError(
 			writer, request, clientID, sessionID,
 			irc.ErrNeedMoreParams, nick,
 			[]string{irc.CmdKill},
 			"Not enough parameters",
 		)
 		return
 	}
 	reason := "KILLed"
 	if len(lines) > 1 {
 		reason = lines[1]
 	}
 	targetSID, lookupErr := hdlr.params.Database.
 		GetSessionByNick(ctx, targetNick)
 	if lookupErr != nil {
 		hdlr.respondIRCError(
 			writer, request, clientID, sessionID,
 			irc.ErrNoSuchNick, nick,
 			[]string{targetNick},
 			"No such nick/channel",
 		)
 		return
 	}
 	// Do not allow killing yourself.
 	if targetSID == sessionID {
 		hdlr.respondIRCError(
 			writer, request, clientID, sessionID,
 			irc.ErrCantKillServer, nick, nil,
 			"You cannot KILL yourself",
 		)
 		return
 	}
 	hdlr.executeKillUser(
 		request, targetSID, targetNick, nick, reason,
 	)
 	hdlr.respondJSON(writer, request,
 		map[string]string{"status": "ok"},
 		http.StatusOK)
 }
 // executeKillUser forcibly disconnects a user: broadcasts
 // QUIT to their channels, parts all channels, and deletes
 // the session.
 func (hdlr *Handlers) executeKillUser(
 	request *http.Request,
 	targetSID int64,
 	targetNick, killerNick, reason string,
 ) {
 	ctx := request.Context()
 	quitMsg := "Killed (" + killerNick + " (" + reason + "))"
 	quitBody, err := json.Marshal([]string{quitMsg})
 	if err != nil {
 		hdlr.log.Error(
 			"marshal kill quit body", "error", err,
 		)
 		return
 	}
 	channels, _ := hdlr.params.Database.
 		GetSessionChannels(ctx, targetSID)
 	notified := map[int64]bool{}
 	var dbID int64
 	if len(channels) > 0 {
 		dbID, _, _ = hdlr.params.Database.InsertMessage(
 			ctx, irc.CmdQuit, targetNick, "",
 			nil, json.RawMessage(quitBody), nil,
 		)
 	}
 	for _, chanInfo := range channels {
 		memberIDs, _ := hdlr.params.Database.
 			GetChannelMemberIDs(ctx, chanInfo.ID)
 		for _, mid := range memberIDs {
 			if mid != targetSID && !notified[mid] {
 				notified[mid] = true
 				_ = hdlr.params.Database.EnqueueToSession(
 					ctx, mid, dbID,
 				)
 				hdlr.broker.Notify(mid)
 			}
 		}
 		_ = hdlr.params.Database.PartChannel(
 			ctx, chanInfo.ID, targetSID,
 		)
 		_ = hdlr.params.Database.DeleteChannelIfEmpty(
 			ctx, chanInfo.ID,
 		)
 	}
 	_ = hdlr.params.Database.DeleteSession(
 		ctx, targetSID,
 	)
 }
 // handleWallops handles the WALLOPS command.
 // Broadcasts a message to all users with +w usermode
 // (oper only).
 func (hdlr *Handlers) handleWallops(
 	writer http.ResponseWriter,
 	request *http.Request,
 	sessionID, clientID int64,
 	nick string,
 	bodyLines func() []string,
 ) {
 	ctx := request.Context()
 	// Check oper status.
 	isOper, err := hdlr.params.Database.IsSessionOper(
 		ctx, sessionID,
 	)
 	if err != nil || !isOper {
 		hdlr.respondIRCError(
 			writer, request, clientID, sessionID,
 			irc.ErrNoPrivileges, nick, nil,
 			"Permission Denied- You're not an IRC operator",
 		)
 		return
 	}
 	lines := bodyLines()
 	if len(lines) == 0 {
 		hdlr.respondIRCError(
 			writer, request, clientID, sessionID,
 			irc.ErrNeedMoreParams, nick,
 			[]string{irc.CmdWallops},
 			"Not enough parameters",
 		)
 		return
 	}
 	message := strings.Join(lines, " ")
 	wallopsSIDs, err := hdlr.params.Database.
 		GetWallopsSessionIDs(ctx)
 	if err != nil {
 		hdlr.log.Error(
 			"get wallops sessions failed", "error", err,
 		)
 		hdlr.respondError(
 			writer, request,
 			"internal error",
 			http.StatusInternalServerError,
 		)
 		return
 	}
 	if len(wallopsSIDs) > 0 {
 		body, mErr := json.Marshal([]string{message})
 		if mErr != nil {
 			hdlr.log.Error(
 				"marshal wallops body", "error", mErr,
 			)
 			hdlr.respondError(
 				writer, request,
 				"internal error",
 				http.StatusInternalServerError,
 			)
 			return
 		}
 		_ = hdlr.fanOutSilent(
 			request, irc.CmdWallops, nick, "*",
 			json.RawMessage(body), wallopsSIDs,
 		)
 	}
 	hdlr.respondJSON(writer, request,
 		map[string]string{"status": "ok"},
 		http.StatusOK)
 }
 // handleUserMode handles user mode queries and changes
 // (e.g., MODE nick, MODE nick +w).
 func (hdlr *Handlers) handleUserMode(
 	writer http.ResponseWriter,
 	request *http.Request,
 	sessionID, clientID int64,
 	nick, target string,
 	bodyLines func() []string,
 ) {
 	ctx := request.Context()
 	lines := bodyLines()
 	// Mode change requested.
 	if len(lines) > 0 {
 		// Users can only change their own modes.
 		if target != nick && target != "" {
 			hdlr.respondIRCError(
 				writer, request, clientID, sessionID,
 				irc.ErrUsersDoNotMatch, nick, nil,
 				"Can't change mode for other users",
 			)
 			return
 		}
 		hdlr.applyUserModeChange(
 			writer, request,
 			sessionID, clientID, nick, lines[0],
 		)
 		return
 	}
 	// Mode query — build the current mode string.
 	modeStr := hdlr.buildUserModeString(ctx, sessionID)
 	hdlr.enqueueNumeric(
 		ctx, clientID, irc.RplUmodeIs, nick, nil,
 		modeStr,
 	)
 	hdlr.broker.Notify(sessionID)
 	hdlr.respondJSON(writer, request,
 		map[string]string{"status": "ok"},
 		http.StatusOK)
 }
 // buildUserModeString constructs the mode string for a
 // user (e.g., "+ow" for oper+wallops).
 func (hdlr *Handlers) buildUserModeString(
 	ctx context.Context,
 	sessionID int64,
 ) string {
 	modes := "+"
 	isOper, err := hdlr.params.Database.IsSessionOper(
 		ctx, sessionID,
 	)
 	if err == nil && isOper {
 		modes += "o"
 	}
 	isWallops, err := hdlr.params.Database.IsSessionWallops(
 		ctx, sessionID,
 	)
 	if err == nil && isWallops {
 		modes += "w"
 	}
 	return modes
 }
 // applyUserModeChange applies a user mode change string
 // (e.g., "+w", "-w").
 func (hdlr *Handlers) applyUserModeChange(
 	writer http.ResponseWriter,
 	request *http.Request,
 	sessionID, clientID int64,
 	nick, modeStr string,
 ) {
 	ctx := request.Context()
 	if len(modeStr) < 2 { //nolint:mnd // +/- and mode char
 		hdlr.respondIRCError(
 			writer, request, clientID, sessionID,
 			irc.ErrUmodeUnknownFlag, nick, nil,
 			"Unknown MODE flag",
 		)
 		return
 	}
 	adding := modeStr[0] == '+'
 	modeChar := modeStr[1:]
 	applied, err := hdlr.applyModeChar(
 		ctx, writer, request,
 		sessionID, clientID, nick,
 		modeChar, adding,
 	)
 	if err != nil || !applied {
 		return
 	}
 	newModes := hdlr.buildUserModeString(ctx, sessionID)
 	hdlr.enqueueNumeric(
 		ctx, clientID, irc.RplUmodeIs, nick, nil,
 		newModes,
 	)
 	hdlr.broker.Notify(sessionID)
 	hdlr.respondJSON(writer, request,
 		map[string]string{"status": "ok"},
 		http.StatusOK)
 }
 // applyModeChar applies a single user mode character.
 // Returns (applied, error).
 func (hdlr *Handlers) applyModeChar(
 	ctx context.Context,
 	writer http.ResponseWriter,
 	request *http.Request,
 	sessionID, clientID int64,
 	nick, modeChar string,
 	adding bool,
 ) (bool, error) {
 	switch modeChar {
 	case "w":
 		err := hdlr.params.Database.SetSessionWallops(
 			ctx, sessionID, adding,
 		)
 		if err != nil {
 			hdlr.log.Error(
 				"set wallops mode failed", "error", err,
 			)
 			hdlr.respondError(
 				writer, request,
 				"internal error",
 				http.StatusInternalServerError,
 			)
 			return false, fmt.Errorf(
 				"set wallops: %w", err,
 			)
 		}
 	case "o":
 		// +o cannot be set via MODE, only via OPER.
 		if adding {
 			hdlr.respondIRCError(
 				writer, request, clientID, sessionID,
 				irc.ErrUmodeUnknownFlag, nick, nil,
 				"Unknown MODE flag",
 			)
 			return false, nil
 		}
 		err := hdlr.params.Database.SetSessionOper(
 			ctx, sessionID, false,
 		)
 		if err != nil {
 			hdlr.log.Error(
 				"clear oper mode failed", "error", err,
 			)
 			hdlr.respondError(
 				writer, request,
 				"internal error",
 				http.StatusInternalServerError,
 			)
 			return false, fmt.Errorf(
 				"clear oper: %w", err,
 			)
 		}
 	default:
 		hdlr.respondIRCError(
 			writer, request, clientID, sessionID,
 			irc.ErrUmodeUnknownFlag, nick, nil,
 			"Unknown MODE flag",
 		)
 		return false, nil
 	}
 	return true, nil
 }
--- a/internal/handlers/utility_test.go
+++ b/internal/handlers/utility_test.go
@@ -1,982 +0,0 @@
 // Tests for Tier 3 utility IRC commands: USERHOST,
 // VERSION, ADMIN, INFO, TIME, KILL, WALLOPS.
 //
 //nolint:paralleltest
 package handlers_test
 import (
 	"strings"
 	"testing"
 )
 // --- USERHOST ---
 func TestUserhostSingleNick(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("alice")
 	_, lastID := tserver.pollMessages(token, 0)
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "USERHOST",
 		bodyKey:    []string{"alice"},
 	})
 	msgs, _ := tserver.pollMessages(token, lastID)
 	// Expect 302 RPL_USERHOST.
 	msg := findNumericWithParams(msgs, "302")
 	if msg == nil {
 		t.Fatalf(
 			"expected RPL_USERHOST (302), got %v",
 			msgs,
 		)
 	}
 	// Body should contain "alice" with the
 	// nick=+user@host format.
 	body := getNumericBody(msg)
 	if !strings.Contains(body, "alice") {
 		t.Fatalf(
 			"expected body to contain 'alice', got %q",
 			body,
 		)
 	}
 	// '+' means not away.
 	if !strings.Contains(body, "=+") {
 		t.Fatalf(
 			"expected not-away prefix '=+', got %q",
 			body,
 		)
 	}
 }
 func TestUserhostMultipleNicks(t *testing.T) {
 	tserver := newTestServer(t)
 	token1 := tserver.createSession("bob")
 	token2 := tserver.createSession("carol")
 	_ = token2
 	_, lastID := tserver.pollMessages(token1, 0)
 	tserver.sendCommand(token1, map[string]any{
 		commandKey: "USERHOST",
 		bodyKey:    []string{"bob", "carol"},
 	})
 	msgs, _ := tserver.pollMessages(token1, lastID)
 	msg := findNumericWithParams(msgs, "302")
 	if msg == nil {
 		t.Fatalf(
 			"expected RPL_USERHOST (302), got %v",
 			msgs,
 		)
 	}
 	body := getNumericBody(msg)
 	if !strings.Contains(body, "bob") {
 		t.Fatalf(
 			"expected body to contain 'bob', got %q",
 			body,
 		)
 	}
 	if !strings.Contains(body, "carol") {
 		t.Fatalf(
 			"expected body to contain 'carol', got %q",
 			body,
 		)
 	}
 }
 func TestUserhostNonexistentNick(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("dave")
 	_, lastID := tserver.pollMessages(token, 0)
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "USERHOST",
 		bodyKey:    []string{"nobody"},
 	})
 	msgs, _ := tserver.pollMessages(token, lastID)
 	// Should still get 302 but with empty body.
 	msg := findNumericWithParams(msgs, "302")
 	if msg == nil {
 		t.Fatalf(
 			"expected RPL_USERHOST (302), got %v",
 			msgs,
 		)
 	}
 }
 func TestUserhostNoParams(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("eve")
 	_, lastID := tserver.pollMessages(token, 0)
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "USERHOST",
 	})
 	msgs, _ := tserver.pollMessages(token, lastID)
 	// Expect 461 ERR_NEEDMOREPARAMS.
 	if !findNumeric(msgs, "461") {
 		t.Fatalf(
 			"expected ERR_NEEDMOREPARAMS (461), got %v",
 			msgs,
 		)
 	}
 }
 func TestUserhostShowsOper(t *testing.T) {
 	tserver := newTestServerWithOper(t)
 	token := tserver.createSession("opernick")
 	_, lastID := tserver.pollMessages(token, 0)
 	// Authenticate as oper.
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "OPER",
 		bodyKey:    []string{testOperName, testOperPassword},
 	})
 	_, lastID = tserver.pollMessages(token, lastID)
 	// USERHOST should show '*' for oper.
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "USERHOST",
 		bodyKey:    []string{"opernick"},
 	})
 	msgs, _ := tserver.pollMessages(token, lastID)
 	msg := findNumericWithParams(msgs, "302")
 	if msg == nil {
 		t.Fatalf(
 			"expected RPL_USERHOST (302), got %v",
 			msgs,
 		)
 	}
 	body := getNumericBody(msg)
 	if !strings.Contains(body, "opernick*=") {
 		t.Fatalf(
 			"expected oper '*' in reply, got %q",
 			body,
 		)
 	}
 }
 func TestUserhostShowsAway(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("awaynick")
 	_, lastID := tserver.pollMessages(token, 0)
 	// Set away.
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "AWAY",
 		bodyKey:    []string{"gone fishing"},
 	})
 	_, lastID = tserver.pollMessages(token, lastID)
 	// USERHOST should show '-' for away.
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "USERHOST",
 		bodyKey:    []string{"awaynick"},
 	})
 	msgs, _ := tserver.pollMessages(token, lastID)
 	msg := findNumericWithParams(msgs, "302")
 	if msg == nil {
 		t.Fatalf(
 			"expected RPL_USERHOST (302), got %v",
 			msgs,
 		)
 	}
 	body := getNumericBody(msg)
 	if !strings.Contains(body, "=-") {
 		t.Fatalf(
 			"expected away prefix '=-' in reply, got %q",
 			body,
 		)
 	}
 }
 // --- VERSION ---
 func TestVersion(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("frank")
 	_, lastID := tserver.pollMessages(token, 0)
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "VERSION",
 	})
 	msgs, _ := tserver.pollMessages(token, lastID)
 	// Expect 351 RPL_VERSION.
 	msg := findNumericWithParams(msgs, "351")
 	if msg == nil {
 		t.Fatalf(
 			"expected RPL_VERSION (351), got %v",
 			msgs,
 		)
 	}
 	params := getNumericParams(msg)
 	if len(params) == 0 {
 		t.Fatal("expected VERSION params, got none")
 	}
 	// First param should contain version string.
 	if !strings.Contains(params[0], "test") {
 		t.Fatalf(
 			"expected version to contain 'test', got %q",
 			params[0],
 		)
 	}
 }
 // --- ADMIN ---
 func TestAdmin(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("grace")
 	_, lastID := tserver.pollMessages(token, 0)
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "ADMIN",
 	})
 	msgs, _ := tserver.pollMessages(token, lastID)
 	// Expect 256 RPL_ADMINME.
 	if !findNumeric(msgs, "256") {
 		t.Fatalf(
 			"expected RPL_ADMINME (256), got %v",
 			msgs,
 		)
 	}
 	// Expect 257 RPL_ADMINLOC1.
 	if !findNumeric(msgs, "257") {
 		t.Fatalf(
 			"expected RPL_ADMINLOC1 (257), got %v",
 			msgs,
 		)
 	}
 	// Expect 258 RPL_ADMINLOC2.
 	if !findNumeric(msgs, "258") {
 		t.Fatalf(
 			"expected RPL_ADMINLOC2 (258), got %v",
 			msgs,
 		)
 	}
 	// Expect 259 RPL_ADMINEMAIL.
 	if !findNumeric(msgs, "259") {
 		t.Fatalf(
 			"expected RPL_ADMINEMAIL (259), got %v",
 			msgs,
 		)
 	}
 }
 // --- INFO ---
 func TestInfo(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("hank")
 	_, lastID := tserver.pollMessages(token, 0)
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "INFO",
 	})
 	msgs, _ := tserver.pollMessages(token, lastID)
 	// Expect 371 RPL_INFO (at least one).
 	if !findNumeric(msgs, "371") {
 		t.Fatalf(
 			"expected RPL_INFO (371), got %v",
 			msgs,
 		)
 	}
 	// Expect 374 RPL_ENDOFINFO.
 	if !findNumeric(msgs, "374") {
 		t.Fatalf(
 			"expected RPL_ENDOFINFO (374), got %v",
 			msgs,
 		)
 	}
 }
 // --- TIME ---
 func TestTime(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("iris")
 	_, lastID := tserver.pollMessages(token, 0)
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "TIME",
 	})
 	msgs, _ := tserver.pollMessages(token, lastID)
 	// Expect 391 RPL_TIME.
 	msg := findNumericWithParams(msgs, "391")
 	if msg == nil {
 		t.Fatalf(
 			"expected RPL_TIME (391), got %v",
 			msgs,
 		)
 	}
 }
 // --- KILL ---
 func TestKillSuccess(t *testing.T) {
 	tserver := newTestServerWithOper(t)
 	// Create the victim first.
 	victimToken := tserver.createSession("victim")
 	_ = victimToken
 	// Create oper user.
 	operToken := tserver.createSession("killer")
 	_, lastID := tserver.pollMessages(operToken, 0)
 	// Authenticate as oper.
 	tserver.sendCommand(operToken, map[string]any{
 		commandKey: "OPER",
 		bodyKey:    []string{testOperName, testOperPassword},
 	})
 	_, lastID = tserver.pollMessages(operToken, lastID)
 	// Kill the victim.
 	status, result := tserver.sendCommand(
 		operToken, map[string]any{
 			commandKey: "KILL",
 			bodyKey:    []string{"victim", "go away"},
 		},
 	)
 	if status != 200 {
 		t.Fatalf("expected 200, got %d: %v", status, result)
 	}
 	resultStatus, _ := result[statusKey].(string)
 	if resultStatus != "ok" {
 		t.Fatalf(
 			"expected status ok, got %v",
 			result,
 		)
 	}
 	// Verify the victim's session is gone by trying
 	// to WHOIS them.
 	tserver.sendCommand(operToken, map[string]any{
 		commandKey: "WHOIS",
 		toKey:      "victim",
 	})
 	msgs, _ := tserver.pollMessages(operToken, lastID)
 	// Should get 401 ERR_NOSUCHNICK.
 	if !findNumeric(msgs, "401") {
 		t.Fatalf(
 			"expected victim to be gone (401), got %v",
 			msgs,
 		)
 	}
 }
 func TestKillNotOper(t *testing.T) {
 	tserver := newTestServer(t)
 	_ = tserver.createSession("target")
 	token := tserver.createSession("notoper")
 	_, lastID := tserver.pollMessages(token, 0)
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "KILL",
 		bodyKey:    []string{"target", "no reason"},
 	})
 	msgs, _ := tserver.pollMessages(token, lastID)
 	// Expect 481 ERR_NOPRIVILEGES.
 	if !findNumeric(msgs, "481") {
 		t.Fatalf(
 			"expected ERR_NOPRIVILEGES (481), got %v",
 			msgs,
 		)
 	}
 }
 func TestKillNoParams(t *testing.T) {
 	tserver := newTestServerWithOper(t)
 	token := tserver.createSession("opertest")
 	_, lastID := tserver.pollMessages(token, 0)
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "OPER",
 		bodyKey:    []string{testOperName, testOperPassword},
 	})
 	_, lastID = tserver.pollMessages(token, lastID)
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "KILL",
 	})
 	msgs, _ := tserver.pollMessages(token, lastID)
 	// Expect 461 ERR_NEEDMOREPARAMS.
 	if !findNumeric(msgs, "461") {
 		t.Fatalf(
 			"expected ERR_NEEDMOREPARAMS (461), got %v",
 			msgs,
 		)
 	}
 }
 // sendOperKillCommand is a helper that creates an oper
 // session, authenticates, then sends KILL with the given
 // target nick, and returns the resulting messages.
 func sendOperKillCommand(
 	t *testing.T,
 	tserver *testServer,
 	operNick, targetNick string,
 ) []map[string]any {
 	t.Helper()
 	token := tserver.createSession(operNick)
 	_, lastID := tserver.pollMessages(token, 0)
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "OPER",
 		bodyKey:    []string{testOperName, testOperPassword},
 	})
 	_, lastID = tserver.pollMessages(token, lastID)
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "KILL",
 		bodyKey:    []string{targetNick},
 	})
 	msgs, _ := tserver.pollMessages(token, lastID)
 	return msgs
 }
 func TestKillNonexistentUser(t *testing.T) {
 	tserver := newTestServerWithOper(t)
 	msgs := sendOperKillCommand(
 		t, tserver, "opertest2", "ghost",
 	)
 	// Expect 401 ERR_NOSUCHNICK.
 	if !findNumeric(msgs, "401") {
 		t.Fatalf(
 			"expected ERR_NOSUCHNICK (401), got %v",
 			msgs,
 		)
 	}
 }
 func TestKillSelf(t *testing.T) {
 	tserver := newTestServerWithOper(t)
 	msgs := sendOperKillCommand(
 		t, tserver, "selfkiller", "selfkiller",
 	)
 	// Expect 483 ERR_CANTKILLSERVER.
 	if !findNumeric(msgs, "483") {
 		t.Fatalf(
 			"expected ERR_CANTKILLSERVER (483), got %v",
 			msgs,
 		)
 	}
 }
 func TestKillBroadcastsQuit(t *testing.T) {
 	tserver := newTestServerWithOper(t)
 	// Create victim and join a channel.
 	victimToken := tserver.createSession("vuser")
 	tserver.sendCommand(victimToken, map[string]any{
 		commandKey: joinCmd,
 		toKey:      "#killtest",
 	})
 	// Create observer and join same channel.
 	observerToken := tserver.createSession("observer")
 	tserver.sendCommand(observerToken, map[string]any{
 		commandKey: joinCmd,
 		toKey:      "#killtest",
 	})
 	_, lastObs := tserver.pollMessages(observerToken, 0)
 	// Create oper.
 	operToken := tserver.createSession("theoper2")
 	tserver.pollMessages(operToken, 0)
 	tserver.sendCommand(operToken, map[string]any{
 		commandKey: "OPER",
 		bodyKey:    []string{testOperName, testOperPassword},
 	})
 	tserver.pollMessages(operToken, 0)
 	// Kill the victim.
 	tserver.sendCommand(operToken, map[string]any{
 		commandKey: "KILL",
 		bodyKey:    []string{"vuser", "testing kill"},
 	})
 	// Observer should see a QUIT message.
 	msgs, _ := tserver.pollMessages(observerToken, lastObs)
 	foundQuit := false
 	for _, msg := range msgs {
 		cmd, _ := msg["command"].(string)
 		if cmd == "QUIT" {
 			from, _ := msg["from"].(string)
 			if from == "vuser" {
 				foundQuit = true
 				break
 			}
 		}
 	}
 	if !foundQuit {
 		t.Fatalf(
 			"expected QUIT from vuser, got %v",
 			msgs,
 		)
 	}
 }
 // --- WALLOPS ---
 func TestWallopsSuccess(t *testing.T) {
 	tserver := newTestServerWithOper(t)
 	// Create receiver with +w.
 	receiverToken := tserver.createSession("receiver")
 	tserver.sendCommand(receiverToken, map[string]any{
 		commandKey: "MODE",
 		toKey:      "receiver",
 		bodyKey:    []string{"+w"},
 	})
 	_, lastRecv := tserver.pollMessages(receiverToken, 0)
 	// Create oper.
 	operToken := tserver.createSession("walloper")
 	tserver.pollMessages(operToken, 0)
 	tserver.sendCommand(operToken, map[string]any{
 		commandKey: "OPER",
 		bodyKey:    []string{testOperName, testOperPassword},
 	})
 	tserver.pollMessages(operToken, 0)
 	// Also set +w on oper so they receive it too.
 	tserver.sendCommand(operToken, map[string]any{
 		commandKey: "MODE",
 		toKey:      "walloper",
 		bodyKey:    []string{"+w"},
 	})
 	tserver.pollMessages(operToken, 0)
 	// Send WALLOPS.
 	tserver.sendCommand(operToken, map[string]any{
 		commandKey: "WALLOPS",
 		bodyKey:    []string{"server going down"},
 	})
 	// Receiver should get the WALLOPS message.
 	msgs, _ := tserver.pollMessages(receiverToken, lastRecv)
 	foundWallops := false
 	for _, msg := range msgs {
 		cmd, _ := msg["command"].(string)
 		if cmd == "WALLOPS" {
 			foundWallops = true
 			break
 		}
 	}
 	if !foundWallops {
 		t.Fatalf(
 			"expected WALLOPS message, got %v",
 			msgs,
 		)
 	}
 }
 func TestWallopsNotOper(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("notoper2")
 	_, lastID := tserver.pollMessages(token, 0)
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "WALLOPS",
 		bodyKey:    []string{"hello"},
 	})
 	msgs, _ := tserver.pollMessages(token, lastID)
 	// Expect 481 ERR_NOPRIVILEGES.
 	if !findNumeric(msgs, "481") {
 		t.Fatalf(
 			"expected ERR_NOPRIVILEGES (481), got %v",
 			msgs,
 		)
 	}
 }
 func TestWallopsNoParams(t *testing.T) {
 	tserver := newTestServerWithOper(t)
 	token := tserver.createSession("operempty")
 	_, lastID := tserver.pollMessages(token, 0)
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "OPER",
 		bodyKey:    []string{testOperName, testOperPassword},
 	})
 	_, lastID = tserver.pollMessages(token, lastID)
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "WALLOPS",
 	})
 	msgs, _ := tserver.pollMessages(token, lastID)
 	// Expect 461 ERR_NEEDMOREPARAMS.
 	if !findNumeric(msgs, "461") {
 		t.Fatalf(
 			"expected ERR_NEEDMOREPARAMS (461), got %v",
 			msgs,
 		)
 	}
 }
 func TestWallopsNotReceivedWithoutW(t *testing.T) {
 	tserver := newTestServerWithOper(t)
 	// Create receiver WITHOUT +w.
 	receiverToken := tserver.createSession("nowallops")
 	_, lastRecv := tserver.pollMessages(receiverToken, 0)
 	// Create oper.
 	operToken := tserver.createSession("walloper2")
 	tserver.pollMessages(operToken, 0)
 	tserver.sendCommand(operToken, map[string]any{
 		commandKey: "OPER",
 		bodyKey:    []string{testOperName, testOperPassword},
 	})
 	tserver.pollMessages(operToken, 0)
 	// Send WALLOPS.
 	tserver.sendCommand(operToken, map[string]any{
 		commandKey: "WALLOPS",
 		bodyKey:    []string{"secret message"},
 	})
 	// Receiver should NOT get the WALLOPS message.
 	msgs, _ := tserver.pollMessages(receiverToken, lastRecv)
 	for _, msg := range msgs {
 		cmd, _ := msg["command"].(string)
 		if cmd == "WALLOPS" {
 			t.Fatalf(
 				"did not expect WALLOPS for user "+
 					"without +w, got %v",
 				msgs,
 			)
 		}
 	}
 }
 // --- User Mode +w ---
 func TestUserModeSetW(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("wmoder")
 	_, lastID := tserver.pollMessages(token, 0)
 	// Set +w.
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "MODE",
 		toKey:      "wmoder",
 		bodyKey:    []string{"+w"},
 	})
 	msgs, lastID := tserver.pollMessages(token, lastID)
 	// Expect 221 RPL_UMODEIS with "+w".
 	msg := findNumericWithParams(msgs, "221")
 	if msg == nil {
 		t.Fatalf(
 			"expected RPL_UMODEIS (221), got %v",
 			msgs,
 		)
 	}
 	body := getNumericBody(msg)
 	if !strings.Contains(body, "w") {
 		t.Fatalf(
 			"expected mode string to contain 'w', got %q",
 			body,
 		)
 	}
 	// Now query mode.
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "MODE",
 		toKey:      "wmoder",
 	})
 	msgs, _ = tserver.pollMessages(token, lastID)
 	msg = findNumericWithParams(msgs, "221")
 	if msg == nil {
 		t.Fatalf(
 			"expected RPL_UMODEIS (221) on query, got %v",
 			msgs,
 		)
 	}
 	body = getNumericBody(msg)
 	if !strings.Contains(body, "w") {
 		t.Fatalf(
 			"expected mode '+w' in query, got %q",
 			body,
 		)
 	}
 }
 func TestUserModeUnsetW(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("wunsetter")
 	_, lastID := tserver.pollMessages(token, 0)
 	// Set +w first.
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "MODE",
 		toKey:      "wunsetter",
 		bodyKey:    []string{"+w"},
 	})
 	_, lastID = tserver.pollMessages(token, lastID)
 	// Unset -w.
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "MODE",
 		toKey:      "wunsetter",
 		bodyKey:    []string{"-w"},
 	})
 	msgs, _ := tserver.pollMessages(token, lastID)
 	msg := findNumericWithParams(msgs, "221")
 	if msg == nil {
 		t.Fatalf(
 			"expected RPL_UMODEIS (221), got %v",
 			msgs,
 		)
 	}
 	body := getNumericBody(msg)
 	if strings.Contains(body, "w") {
 		t.Fatalf(
 			"expected 'w' to be removed, got %q",
 			body,
 		)
 	}
 }
 func TestUserModeUnknownFlag(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("badmode")
 	_, lastID := tserver.pollMessages(token, 0)
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "MODE",
 		toKey:      "badmode",
 		bodyKey:    []string{"+z"},
 	})
 	msgs, _ := tserver.pollMessages(token, lastID)
 	// Expect 501 ERR_UMODEUNKNOWNFLAG.
 	if !findNumeric(msgs, "501") {
 		t.Fatalf(
 			"expected ERR_UMODEUNKNOWNFLAG (501), got %v",
 			msgs,
 		)
 	}
 }
 func TestUserModeCannotSetO(t *testing.T) {
 	tserver := newTestServer(t)
 	token := tserver.createSession("tryoper")
 	_, lastID := tserver.pollMessages(token, 0)
 	// Try to set +o via MODE (should fail).
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "MODE",
 		toKey:      "tryoper",
 		bodyKey:    []string{"+o"},
 	})
 	msgs, _ := tserver.pollMessages(token, lastID)
 	// Expect 501 ERR_UMODEUNKNOWNFLAG.
 	if !findNumeric(msgs, "501") {
 		t.Fatalf(
 			"expected ERR_UMODEUNKNOWNFLAG (501), got %v",
 			msgs,
 		)
 	}
 }
 func TestUserModeDeoper(t *testing.T) {
 	tserver := newTestServerWithOper(t)
 	token := tserver.createSession("deoper")
 	_, lastID := tserver.pollMessages(token, 0)
 	// Authenticate as oper.
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "OPER",
 		bodyKey:    []string{testOperName, testOperPassword},
 	})
 	_, lastID = tserver.pollMessages(token, lastID)
 	// Use MODE -o to de-oper.
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "MODE",
 		toKey:      "deoper",
 		bodyKey:    []string{"-o"},
 	})
 	msgs, _ := tserver.pollMessages(token, lastID)
 	msg := findNumericWithParams(msgs, "221")
 	if msg == nil {
 		t.Fatalf(
 			"expected RPL_UMODEIS (221), got %v",
 			msgs,
 		)
 	}
 	body := getNumericBody(msg)
 	if strings.Contains(body, "o") {
 		t.Fatalf(
 			"expected 'o' to be removed, got %q",
 			body,
 		)
 	}
 }
 func TestUserModeCannotChangeOtherUser(t *testing.T) {
 	tserver := newTestServer(t)
 	_ = tserver.createSession("other")
 	token := tserver.createSession("changer")
 	_, lastID := tserver.pollMessages(token, 0)
 	// Try to change another user's mode.
 	tserver.sendCommand(token, map[string]any{
 		commandKey: "MODE",
 		toKey:      "other",
 		bodyKey:    []string{"+w"},
 	})
 	msgs, _ := tserver.pollMessages(token, lastID)
 	// Expect 502 ERR_USERSDONTMATCH.
 	if !findNumeric(msgs, "502") {
 		t.Fatalf(
 			"expected ERR_USERSDONTMATCH (502), got %v",
 			msgs,
 		)
 	}
 }
 // getNumericBody extracts the body text from a numeric
 // message. The body is stored as a JSON array; this
 // returns the first element.
 func getNumericBody(msg map[string]any) string {
 	raw, exists := msg["body"]
 	if !exists || raw == nil {
 		return ""
 	}
 	arr, isArr := raw.([]any)
 	if !isArr || len(arr) == 0 {
 		return ""
 	}
 	str, isStr := arr[0].(string)
 	if !isStr {
 		return ""
 	}
 	return str
 }
--- a/internal/ratelimit/ratelimit.go
+++ b/internal/ratelimit/ratelimit.go
@@ -1,122 +0,0 @@
 // Package ratelimit provides per-IP rate limiting for HTTP endpoints.
 package ratelimit
 import (
 	"sync"
 	"time"
 	"golang.org/x/time/rate"
 )
 const (
 	// DefaultRate is the default number of allowed requests per second.
 	DefaultRate = 1.0
 	// DefaultBurst is the default maximum burst size.
 	DefaultBurst = 5
 	// DefaultSweepInterval controls how often stale entries are pruned.
 	DefaultSweepInterval = 10 * time.Minute
 	// DefaultEntryTTL is how long an unused entry lives before eviction.
 	DefaultEntryTTL = 15 * time.Minute
 )
 // entry tracks a per-IP rate limiter and when it was last used.
 type entry struct {
 	limiter  *rate.Limiter
 	lastSeen time.Time
 }
 // Limiter manages per-key rate limiters with automatic cleanup
 // of stale entries.
 type Limiter struct {
 	mu       sync.Mutex
 	entries  map[string]*entry
 	rate     rate.Limit
 	burst    int
 	entryTTL time.Duration
 	stopCh   chan struct{}
 }
 // New creates a new per-key rate Limiter.
 // The ratePerSec parameter sets how many requests per second are
 // allowed per key.  The burst parameter sets the maximum number of
 // requests that can be made in a single burst.
 func New(ratePerSec float64, burst int) *Limiter {
 	limiter := &Limiter{
 		mu:       sync.Mutex{},
 		entries:  make(map[string]*entry),
 		rate:     rate.Limit(ratePerSec),
 		burst:    burst,
 		entryTTL: DefaultEntryTTL,
 		stopCh:   make(chan struct{}),
 	}
 	go limiter.sweepLoop()
 	return limiter
 }
 // Allow reports whether a request from the given key should be
 // allowed.  It consumes one token from the key's rate limiter.
 func (l *Limiter) Allow(key string) bool {
 	l.mu.Lock()
 	ent, exists := l.entries[key]
 	if !exists {
 		ent = &entry{
 			limiter:  rate.NewLimiter(l.rate, l.burst),
 			lastSeen: time.Now(),
 		}
 		l.entries[key] = ent
 	} else {
 		ent.lastSeen = time.Now()
 	}
 	l.mu.Unlock()
 	return ent.limiter.Allow()
 }
 // Stop terminates the background sweep goroutine.
 func (l *Limiter) Stop() {
 	close(l.stopCh)
 }
 // Len returns the number of tracked keys (for testing).
 func (l *Limiter) Len() int {
 	l.mu.Lock()
 	defer l.mu.Unlock()
 	return len(l.entries)
 }
 // sweepLoop periodically removes entries that haven't been seen
 // within the TTL.
 func (l *Limiter) sweepLoop() {
 	ticker := time.NewTicker(DefaultSweepInterval)
 	defer ticker.Stop()
 	for {
 		select {
 		case <-ticker.C:
 			l.sweep()
 		case <-l.stopCh:
 			return
 		}
 	}
 }
 // sweep removes stale entries.
 func (l *Limiter) sweep() {
 	l.mu.Lock()
 	defer l.mu.Unlock()
 	cutoff := time.Now().Add(-l.entryTTL)
 	for key, ent := range l.entries {
 		if ent.lastSeen.Before(cutoff) {
 			delete(l.entries, key)
 		}
 	}
 }
--- a/internal/ratelimit/ratelimit_test.go
+++ b/internal/ratelimit/ratelimit_test.go
@@ -1,106 +0,0 @@
 package ratelimit_test
 import (
 	"testing"
 	"git.eeqj.de/sneak/neoirc/internal/ratelimit"
 )
 func TestNewCreatesLimiter(t *testing.T) {
 	t.Parallel()
 	limiter := ratelimit.New(1.0, 5)
 	defer limiter.Stop()
 	if limiter == nil {
 		t.Fatal("expected non-nil limiter")
 	}
 }
 func TestAllowWithinBurst(t *testing.T) {
 	t.Parallel()
 	limiter := ratelimit.New(1.0, 3)
 	defer limiter.Stop()
 	for i := range 3 {
 		if !limiter.Allow("192.168.1.1") {
 			t.Fatalf(
 				"request %d should be allowed within burst",
 				i+1,
 			)
 		}
 	}
 }
 func TestAllowExceedsBurst(t *testing.T) {
 	t.Parallel()
 	// Rate of 0 means no token replenishment, only burst.
 	limiter := ratelimit.New(0, 3)
 	defer limiter.Stop()
 	for range 3 {
 		limiter.Allow("10.0.0.1")
 	}
 	if limiter.Allow("10.0.0.1") {
 		t.Fatal("fourth request should be denied after burst exhausted")
 	}
 }
 func TestAllowSeparateKeys(t *testing.T) {
 	t.Parallel()
 	// Rate of 0, burst of 1 — only one request per key.
 	limiter := ratelimit.New(0, 1)
 	defer limiter.Stop()
 	if !limiter.Allow("10.0.0.1") {
 		t.Fatal("first request for key A should be allowed")
 	}
 	if !limiter.Allow("10.0.0.2") {
 		t.Fatal("first request for key B should be allowed")
 	}
 	if limiter.Allow("10.0.0.1") {
 		t.Fatal("second request for key A should be denied")
 	}
 	if limiter.Allow("10.0.0.2") {
 		t.Fatal("second request for key B should be denied")
 	}
 }
 func TestLenTracksKeys(t *testing.T) {
 	t.Parallel()
 	limiter := ratelimit.New(1.0, 5)
 	defer limiter.Stop()
 	if limiter.Len() != 0 {
 		t.Fatalf("expected 0 entries, got %d", limiter.Len())
 	}
 	limiter.Allow("10.0.0.1")
 	limiter.Allow("10.0.0.2")
 	if limiter.Len() != 2 {
 		t.Fatalf("expected 2 entries, got %d", limiter.Len())
 	}
 	// Same key again should not increase count.
 	limiter.Allow("10.0.0.1")
 	if limiter.Len() != 2 {
 		t.Fatalf("expected 2 entries, got %d", limiter.Len())
 	}
 }
 func TestStopDoesNotPanic(t *testing.T) {
 	t.Parallel()
 	limiter := ratelimit.New(1.0, 5)
 	limiter.Stop()
 }
--- a/pkg/irc/commands.go
+++ b/pkg/irc/commands.go
@@ -2,32 +2,23 @@ package irc
 // IRC command names (RFC 1459 / RFC 2812).
 const (
-	CmdAdmin    = "ADMIN"
+	CmdAway    = "AWAY"
-	CmdAway     = "AWAY"
+	CmdJoin    = "JOIN"
-	CmdInfo     = "INFO"
+	CmdList    = "LIST"
-	CmdInvite   = "INVITE"
+	CmdLusers  = "LUSERS"
-	CmdJoin     = "JOIN"
+	CmdMode    = "MODE"
-	CmdKick     = "KICK"
+	CmdMotd    = "MOTD"
-	CmdKill     = "KILL"
+	CmdNames   = "NAMES"
-	CmdList     = "LIST"
+	CmdNick    = "NICK"
-	CmdLusers   = "LUSERS"
+	CmdNotice  = "NOTICE"
-	CmdMode     = "MODE"
+	CmdOper    = "OPER"
-	CmdMotd     = "MOTD"
+	CmdPass    = "PASS"
-	CmdNames    = "NAMES"
+	CmdPart    = "PART"
-	CmdNick     = "NICK"
+	CmdPing    = "PING"
-	CmdNotice   = "NOTICE"
+	CmdPong    = "PONG"
-	CmdOper     = "OPER"
+	CmdPrivmsg = "PRIVMSG"
-	CmdPass     = "PASS"
+	CmdQuit    = "QUIT"
-	CmdPart     = "PART"
+	CmdTopic   = "TOPIC"
-	CmdPing     = "PING"
+	CmdWho     = "WHO"
-	CmdPong     = "PONG"
+	CmdWhois   = "WHOIS"
 	CmdPrivmsg  = "PRIVMSG"
 	CmdQuit     = "QUIT"
 	CmdTime     = "TIME"
 	CmdTopic    = "TOPIC"
 	CmdUserhost = "USERHOST"
 	CmdVersion  = "VERSION"
 	CmdWallops  = "WALLOPS"
 	CmdWho      = "WHO"
 	CmdWhois    = "WHOIS"
 )