add a benchmark for NAMES

tweak member caching
tweaks to NAMES implementation
2023-04-03 03:40:04 -04:00 · 2023-04-02 17:18:41 -04:00 · 2023-04-02 02:30:14 -04:00
556 changed files with 12753 additions and 39376 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -12,14 +12,14 @@ on:
 jobs:
  build:
-    runs-on: "ubuntu-22.04"
+    runs-on: "ubuntu-20.04"
    steps:
      - name: "checkout repository"
        uses: "actions/checkout@v3"
      - name: "setup go"
        uses: "actions/setup-go@v3"
        with:
-          go-version: "1.23"
+          go-version: "1.20"
      - name: "install python3-pytest"
        run: "sudo apt install -y python3-pytest"
      - name: "make install"
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -1,6 +1,5 @@
 # .goreleaser.yml
 # Build customization
 version: 2
 project_name: ergo
 builds:
  - main: ergo.go
@ -18,7 +17,6 @@ builds:
      - amd64
      - arm
      - arm64
      - riscv64
    goarm:
      - 6
    ignore:
@ -26,41 +24,30 @@ builds:
        goarch: arm
      - goos: windows
        goarch: arm64
      - goos: windows
        goarch: riscv64
      - goos: darwin
        goarch: arm
      - goos: darwin
        goarch: riscv64
      - goos: freebsd
        goarch: arm
      - goos: freebsd
        goarch: arm64
      - goos: freebsd
        goarch: riscv64
      - goos: openbsd
        goarch: arm
      - goos: openbsd
        goarch: arm64
      - goos: openbsd
        goarch: riscv64
      - goos: plan9
        goarch: arm
      - goos: plan9
        goarch: arm64
      - goos: plan9
        goarch: riscv64
    flags:
      - -trimpath
 archives:
  -
-    name_template: >-
+    name_template: "{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}"
            {{ .ProjectName }}-{{ .Version }}-
            {{- if eq .Os "darwin" }}macos{{- else }}{{ .Os }}{{ end -}}-
            {{- if eq .Arch "amd64" }}x86_64{{- else }}{{ .Arch }}{{ end -}}
            {{ if .Arm }}v{{ .Arm }}{{ end -}}
    format: tar.gz
    replacements:
      amd64: x86_64
      darwin: macos
    format_overrides:
      - goos: windows
        format: zip
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,142 +1,6 @@
 # Changelog
 All notable changes to Ergo will be documented in this file.
 ## [2.14.0] - 2024-06-30
 We're pleased to be publishing v2.14.0, a new stable release. This release contains primarily bug fixes, with the addition of some new authentication mechanisms for integrating with web clients.
 This release includes changes to the config file format, all of which are fully backwards-compatible and do not require updating the file before upgrading. It includes no changes to the database file format.
 Many thanks to [@al3xandros](https://github.com/al3xandros), donio, [@eeeeeta](https://github.com/eeeeeta), [@emersion](https://github.com/emersion), [@Eriner](https://github.com/Eriner), [@eskimo](https://github.com/eskimo), [@Herringway](https://github.com/Herringway), [@jwheare](https://github.com/jwheare), [@knolley](https://github.com/knolley), [@mengzhuo](https://github.com/mengzhuo), pathof, [@poVoq](https://github.com/poVoq), [@progval](https://github.com/progval), [@RNDpacman](https://github.com/RNDpacman), and [@xnaas](https://github.com/xnaas) for contributing patches, reporting issues, and helping test.
 ### Config changes
 * Added `accounts.oauth2` and `accounts.jwt-auth` blocks for configuring OAuth2 and JWT authentication (#2004)
 * Added `protocol` and `local-address` options to `accounts.registration.email-verification`, to force emails to be sent over IPv4 (or IPv6) or to force the use of a particular source address (#2142)
 * Added `limits.realnamelen`, a configurable limit on the length of realnames. If unset, no limit is enforced beyond the IRC protocol line length limits (the previous behavior). (#2123, thanks [@eskimo](https://github.com/eskimo)!)
 * Added the `accept-hostname` option to the webirc config block, allowing Ergo to accept hostnames passed from reverse proxies on the `WEBIRC` line. Note that this will have no effect under the default/recommended configuration, in which cloaks are used instead (#1686, #2146, thanks [@RNDpacman](https://github.com/RNDpacman)!)
 * The default/recommended value of `limits.chan-list-modes` (the size limit for ban/except/invite lists) was raised to 100 (#2081, #2165, #2167)
 ### Added
 * Added support for the `OAUTHBEARER` SASL mechanism, allowing Ergo to interoperate with Gamja and an OAuth2 provider (#2004, #2122, thanks [@emersion](https://github.com/emersion)!)
 * Added support for the [`IRCV3BEARER` SASL mechanism](https://github.com/ircv3/ircv3-specifications/pull/545), allowing Ergo to accept OAuth2 or JWT bearer tokens (#2158)
 * Added support for the legacy `rfc1459` and `rfc1459-strict` casemappings (#2099, #2159, thanks [@xnaas](https://github.com/xnaas)!)
 * The new `ergo defaultconfig` subcommand prints a copy of the default config file to standard output (#2157, #2160, thanks [@al3xandros](https://github.com/al3xandros)!)
 ### Fixed
 * Even with `allow-truncation: false` (the recommended default), some oversized messages were being accepted and relayed with truncation. These messages will now be rejected with `417 ERR_INPUTTOOLONG` as expected (#2170)
 * NICK and QUIT from invisible members of auditorium channels are no longer recorded in history (#2133, #2137, thanks [@knolley](https://github.com/knolley) and [@poVoq](https://github.com/poVoq)!)
 * If channel registration was disabled, registered channels could become inaccessible after rehash; this has been fixed (#2130, thanks [@eeeeeta](https://github.com/eeeeeta)!)
 * Attempts to use unrecognized SASL mechanisms no longer count against the login throttle, improving compatibility with Pidgin (#2156, thanks donio and pathof!)
 * Fixed database autoupgrade on Windows, which was previously broken due to the use of a colon in the backup filename (#2139, #2140, thanks [@Herringway](https://github.com/Herringway)!)
 * Fixed handling of `NS CERT ADD <user> <fp>` when an unprivileged user invokes it on themself (#2128, #2098, thanks [@Eriner](https://github.com/Eriner)!)
 * Fixed missing human-readable trailing parameters for two multiline `FAIL` messages (#2043, #2162, thanks [@jwheare](https://github.com/jwheare) and [@progval](https://github.com/progval)!)
 * Fixed symbol sent by `353 RPL_NAMREPLY` for secret channels (#2144, #2145, thanks savoyard!)
 ### Changed
 * Trying to claim a registered nickname that is also actually in use by another client now produces `433 ERR_NICKNAMEINUSE` as expected (#2135, #2136, thanks savoyard!)
 * `SAMODE` now overrides the enforcement of `limits.chan-list-modes` (the size limit for ban/except/invite lists) (#2081, #2165)
 * Certain unsuccessful `MODE` changes no longer send `324 RPL_CHANNELMODEIS` and `329 RPL_CREATIONTIME` (#2163)
 * Debug logging for environment variable configuration overrides no longer prints the value, only the key (#2129, #2132, thanks [@eeeeeta](https://github.com/eeeeeta)!)
 ### Internal
 * Official release builds use Go 1.22.4
 * Added a linux/riscv64 release (#2172, #2173, thanks [@mengzhuo](https://github.com/mengzhuo)!)
 ## [2.13.1] - 2024-05-06
 Ergo 2.13.1 is a bugfix release, fixing an exploitable deadlock that could lead to a denial of service. We regret the oversight.
 This release includes no changes to the config file format or database format.
 ### Security
 * Fixed an exploitable deadlock that could lead to a denial of service (#2149)
 ### Internal
 * Official release builds use Go 1.22.2
 ## [2.13.0] - 2024-01-14
 We're pleased to be publishing v2.13.0, a new stable release. This is a bugfix release that fixes some issues, including a crash.
 This release includes no changes to the config file format or database format.
 Many thanks to [@dallemon](https://github.com/dallemon), [@jwheare](https://github.com/jwheare), [@Mikaela](https://github.com/Mikaela), [@nealey](https://github.com/nealey), and [@Sheikah45](https://github.com/Sheikah45) for contributing patches, reporting issues, and helping test.
 ### Fixed
 * Fixed a (hopefully rare) crash when persisting always-on client statuses (#2113, #2117, thanks [@Sheikah45](https://github.com/Sheikah45)!)
 * Fixed not being able to message channels with `/` (or the configured `RELAYMSG` separator) in their names (#2114, thanks [@Mikaela](https://github.com/Mikaela)!)
 * Verification emails now always include a `Message-ID` header, improving compatibility with Gmail (#2108, #2110)
 * Improved human-readable description of `REDACT_FORBIDDEN` (#2101, thanks [@jwheare](https://github.com/jwheare)!)
 ### Removed
 * Removed numerics associated with the retired ACC spec (#2109, #2111, thanks [@jwheare](https://github.com/jwheare)!)
 ### Internal
 * Upgraded the Docker base image from Alpine 3.13 to 3.19. The resulting images are incompatible with Docker 19.x and lower (all currently non-EOL Docker versions should be supported). (#2103)
 * Official release builds use Go 1.21.6
 ## [2.12.0] - 2023-10-10
 We're pleased to be publishing v2.12.0, a new stable release. This is another bugfix release aimed at improving client compatibility and keeping up with the IRCv3 specification process.
 This release includes changes to the config file format, one of which is a compatibility break: if you were using `accounts.email-verification.blacklist-regexes`, you can restore the previous functionality by renaming `blacklist-regexes` to `address-blacklist` and setting the additional key `address-blacklist-syntax: regex`. See [default.yaml](https://github.com/ergochat/ergo/blob/e7597876d987a6fc061b768fcf878d0035d1c85a/default.yaml#L422-L424) for an example; for more details, see the "Changed" section below.
 This release includes a database change. If you have `datastore.autoupgrade` set to `true` in your configuration, it will be automatically applied when you restart Ergo. Otherwise, you can update the database manually by running `ergo upgradedb` (see the manual for complete instructions).
 Many thanks to [@adsr](https://github.com/adsr), [@avollmerhaus](https://github.com/avollmerhaus), [@csmith](https://github.com/csmith), [@EchedeyLR](https://github.com/EchedeyLR), [@emersion](https://github.com/emersion), [@eskimo](https://github.com/eskimo), [@julio-b](https://github.com/julio-b), knolle, [@KoxSosen](https://github.com/KoxSosen), [@Mikaela](https://github.com/Mikaela), [@mogad0n](https://github.com/mogad0n), and [@progval](https://github.com/progval) for contributing patches, reporting issues, and helping test.
 ### Config changes
 * Removed `accounts.email-verification.blacklist-regexes` in favor of `address-blacklist`, `address-blacklist-syntax`, and `address-blacklist-file`. See the "Changed" section below for the semantics of these new keys. (#1997, #2088)
 * Added `implicit-tls` (TLS from the first byte) support for MTAs (#2048, #2049, thanks [@EchedeyLR](https://github.com/EchedeyLR)!)
 ### Fixed
 * Fixed an edge case under `allow-truncation: true` (the recommended default is `false`) where Ergo could truncate a message in the middle of a UTF-8 codepoint (#2074)
 * Fixed `CHATHISTORY TARGETS` being sent in a batch even without negotiation of the `batch` capability (#2066, thanks [@julio-b](https://github.com/julio-b)!)
 * Errors from `/REHASH` are now properly sanitized before being sent to the user, fixing an edge case where they would be dropped (#2031, thanks [@eskimo](https://github.com/eskimo)!
 * Fixed some edge cases in auto-away aggregation (#2044)
 * Fixed a FAIL code sent by draft/account-registration (#2092, thanks [@progval](https://github.com/progval)!)
 * Fixed a socket leak in the ident client (default/recommended configurations of Ergo disable ident and are not affected by this issue) (#2089)
 ### Changed
 * Bouncer reattach from an "insecure" session is no longer disallowed. We continue to recommend that operators preemptively disable all insecure transports, such as plaintext listeners (#2013)
 * Email addresses are now converted to lowercase before checking them against the blacklist (#1997, #2088)
 * The default syntax for the email address blacklist is now "glob" (expressions with `*` and `?` as wildcard characters), as opposed to the full [Go regular expression syntax](https://github.com/google/re2/wiki/Syntax). To enable full regular expression syntax, set `address-blacklist-syntax: regex`.
 * Due to line length limitations, some capabilities are now hidden from clients that only support version 301 CAP negotiation. To the best of our knowledge, all clients that support these capabilities also support version 302 CAP negotiation, rendering this moot (#2068)
 * The default/recommended configuration now advertises the SCRAM-SHA-256 SASL method. We still do not recommend using this method in production. (#2032)
 * Improved KILL messages (#2053, #2041, thanks [@mogad0n](https://github.com/mogad0n)!)
 ### Added
 * Added support for automatically joining new clients to a channel or channels (#2077, #2079, thanks [@adsr](https://github.com/adsr)!)
 * Added implicit TLS (TLS from the first byte) support for MTAs (#2048, #2049, thanks [@EchedeyLR](https://github.com/EchedeyLR)!)
 * Added support for [draft/message-redaction](https://github.com/ircv3/ircv3-specifications/pull/524) (#2065, thanks [@progval](https://github.com/progval)!)
 * Added support for [draft/pre-away](https://github.com/ircv3/ircv3-specifications/pull/514) (#2044)
 * Added support for [draft/no-implicit-names](https://github.com/ircv3/ircv3-specifications/pull/527) (#2083)
 * Added support for the [MSGREFTYPES](https://ircv3.net/specs/extensions/chathistory#isupport-tokens) 005 token (#2042)
 * Ergo now advertises the [standard-replies](https://ircv3.net/specs/extensions/standard-replies) capability. Requesting this capability does not change Ergo's behavior.
 ### Internal
 * Release builds are now statically linked by default. This should not affect normal chat operations, but may disrupt attempts to connect to external services (e.g. MTAs) that are configured using a hostname that relies on libc's name resolution behavior. To restore the old behavior, build from source with `CGO_ENABLED=1`. (#2023)
 * Upgraded to Go 1.21 (#2045, #2084); official release builds use Go 1.21.3, which includes a fix for CVE-2023-44487
 * The default `make` target is now `build` (which builds an `ergo` binary in the working directory) instead of `install` (which builds and installs an `ergo` binary to `${GOPATH}/bin/ergo`). Take note if building from source, or testing Ergo in development! (#2047)
 * `make irctest` now depends on `make install`, in an attempt to ensure that irctest runs against the intended development version of Ergo (#2047)
 ## [2.11.1] - 2022-01-22
 Ergo 2.11.1 is a bugfix release, fixing a denial-of-service issue in our websocket implementation. We regret the oversight.
 This release includes no changes to the config file format or database file format.
 ### Security
 * Fixed a denial-of-service issue affecting websocket clients (#2039)
 ## [2.11.0] - 2022-12-25
 We're pleased to be publishing v2.11.0, a new stable release. This is another bugfix release aimed at improving client compatibility and keeping up with the IRCv3 specification process.
--- a/20
+++ b/20
@ -1,8 +1,7 @@
 ## build ergo binary
-FROM docker.io/golang:1.23-alpine AS build-env
+FROM golang:1.20-alpine AS build-env
-RUN apk upgrade -U --force-refresh --no-cache
+RUN apk add -U --force-refresh --no-cache --purge --clean-protected -l -u make git
 RUN apk add --no-cache --purge --clean-protected -l -u make git
 # copy ergo source
 WORKDIR /go/src/github.com/ergochat/ergo
@ -17,7 +16,14 @@ RUN sed -i 's/^\(\s*\)\"127.0.0.1:6667\":.*$/\1":6667":/' /go/src/github.com/erg
 RUN make install
 ## build ergo container
-FROM docker.io/alpine:3.19
+FROM alpine:3.13
 # metadata
 LABEL maintainer="Daniel Oaks <daniel@danieloaks.net>,Daniel Thamdrup <dallemon@protonmail.com>" \
      description="Ergo is a modern, experimental IRC server written in Go"
 # standard ports listened on
 EXPOSE 6667/tcp 6697/tcp
 # ergo itself
 COPY --from=build-env /go/bin/ergo \
@ -33,4 +39,10 @@ WORKDIR /ircd
 # default motd
 COPY --from=build-env /go/src/github.com/ergochat/ergo/ergo.motd /ircd/ergo.motd
 # launch
 ENTRYPOINT ["/ircd-bin/run.sh"]
 # # uncomment to debug
 # RUN apk add --no-cache bash
 # RUN apk add --no-cache vim
 # CMD /bin/bash
--- a/6
+++ b/6
@ -12,13 +12,13 @@ capdef_file = ./irc/caps/defs.go
 all: build
 install:
-	go install -mod=mod -v -ldflags "-X main.commit=$(GIT_COMMIT) -X main.version=$(GIT_TAG)"
+	go install -v -ldflags "-X main.commit=$(GIT_COMMIT) -X main.version=$(GIT_TAG)"
 build:
-	go build -mod=mod -v -ldflags "-X main.commit=$(GIT_COMMIT) -X main.version=$(GIT_TAG)"
+	go build -v -ldflags "-X main.commit=$(GIT_COMMIT) -X main.version=$(GIT_TAG)"
 release:
-	goreleaser --skip=publish --clean
+	goreleaser --skip-publish --rm-dist
 capdefs:
 	python3 ./gencapdefs.py > ${capdef_file}
--- a/6
+++ b/6
@ -33,15 +33,15 @@ Modify the config file as needed (the recommendations at the top may be helpful)
 To generate passwords for opers and connect passwords, you can use this command:
-    $ ./ergo genpasswd
+    $ ergo genpasswd
 If you need to generate self-signed TLS certificates, use this command:
-    $ ./ergo mkcerts
+    $ ergo mkcerts
 You are now ready to start Ergo!
-    $ ./ergo run
+    $ ergo run
 For further instructions, consult the manual. A copy of the manual should be
 included in your release under `docs/MANUAL.md`. Or you can view it on the
--- a/README.md
+++ b/README.md
@ -55,8 +55,8 @@ Extract it into a folder, then run the following commands:
 ```sh
 cp default.yaml ircd.yaml
 vim ircd.yaml   # modify the config file to your liking
-./ergo mkcerts
+ergo mkcerts
-./ergo run     # server should be ready to go!
+ergo run     # server should be ready to go!
 ```
 **Note:** See the [productionizing guide in our manual](https://github.com/ergochat/ergo/blob/stable/docs/MANUAL.md#productionizing-with-systemd) for recommendations on how to run a production network, including obtaining valid TLS certificates.
--- a/default.yaml
+++ b/default.yaml
@ -134,10 +134,9 @@ server:
    # the recommended default is 'ascii' (traditional ASCII-only identifiers).
    # the other options are 'precis', which allows UTF8 identifiers that are "sane"
    # (according to UFC 8265), with additional mitigations for homoglyph attacks,
-    # 'permissive', which allows identifiers containing unusual characters like
+    # and 'permissive', which allows identifiers containing unusual characters like
    # emoji, at the cost of increased vulnerability to homoglyph attacks and potential
-    # client compatibility problems, and the legacy mappings 'rfc1459' and
+    # client compatibility problems. we recommend leaving this value at its default;
    # 'rfc1459-strict'. we recommend leaving this value at its default;
    # however, note that changing it once the network is already up and running is
    # problematic.
    casemapping: "ascii"
@ -219,10 +218,6 @@ server:
                # - "192.168.1.1"
                # - "192.168.10.1/24"
            # whether to accept the hostname parameter on the WEBIRC line as the IRC hostname
            # (the default/recommended Ergo configuration will use cloaks instead)
            accept-hostname: false
    # maximum length of clients' sendQ in bytes
    # this should be big enough to hold bursts of channel/direct messages
    max-sendq: 96k
@ -369,7 +364,7 @@ server:
    # in a "closed-loop" system where you control the server and all the clients,
    # you may want to increase the maximum (non-tag) length of an IRC line from
    # the default value of 512. DO NOT change this on a public server:
-    max-line-len: 2048
+    # max-line-len: 512
    # send all 0's as the LUSERS (user counts) output to non-operators; potentially useful
    # if you don't want to publicize how popular the server is
@ -410,10 +405,6 @@ accounts:
            sender: "admin@my.network"
            require-tls: true
            helo-domain: "my.network" # defaults to server name if unset
            # set to `tcp4` to force sending over IPv4, `tcp6` to force IPv6:
            # protocol: "tcp4"
            # set to force a specific source/local IPv4 or IPv6 address:
            # local-address: "1.2.3.4"
            # options to enable DKIM signing of outgoing emails (recommended, but
            # requires creating a DNS entry for the public key):
            # dkim:
@ -427,14 +418,8 @@ accounts:
            #     username: "admin"
            #     password: "hunter2"
            #     implicit-tls: false # TLS from the first byte, typically on port 465
-            # addresses that are not accepted for registration:
+            blacklist-regexes:
-            address-blacklist:
+            #    - ".*@mailinator.com"
            #    - "*@mailinator.com"
            address-blacklist-syntax: "glob" # change to "regex" for regular expressions
            # file of newline-delimited address blacklist entries (no enclosing quotes)
            # in the above syntax (i.e. either globs or regexes). supersedes
            # address-blacklist if set:
            # address-blacklist-file: "/path/to/address-blacklist-file"
            timeout: 60s
            # email-based password reset:
            password-reset:
@ -595,40 +580,6 @@ accounts:
        # how many scripts are allowed to run at once? 0 for no limit:
        max-concurrency: 64
    # support for login via OAuth2 bearer tokens
    oauth2:
        enabled: false
        # should we automatically create users on presentation of a valid token?
        autocreate: true
        # enable this to use auth-script for validation:
        auth-script: false
        introspection-url: "https://example.com/api/oidc/introspection"
        introspection-timeout: 10s
        # omit for auth method `none`; required for auth method `client_secret_basic`:
        client-id: "ergo"
        client-secret: "4TA0I7mJ3fUUcW05KJiODg"
    # support for login via JWT bearer tokens
    jwt-auth:
        enabled: false
        # should we automatically create users on presentation of a valid token?
        autocreate: true
        # any of these token definitions can be accepted, allowing for key rotation
        tokens:
            -
                algorithm: "hmac" # either 'hmac', 'rsa', or 'eddsa' (ed25519)
                # hmac takes a symmetric key, rsa and eddsa take PEM-encoded public keys;
                # either way, the key can be specified either as a YAML string:
                key: "nANiZ1De4v6WnltCHN2H7Q"
                # or as a path to the file containing the key:
                #key-file: "jwt_pubkey.pem"
                # list of JWT claim names to search for the user's account name (make sure the format
                # is what you expect, especially if using "sub"):
                account-claims: ["preferred_username"]
                # if a claim is formatted as an email address, require it to have the following domain,
                # and then strip off the domain and use the local-part as the account name:
                #strip-domain: "example.com"
 # channel options
 channels:
    # modes that are set when new channels are created
@ -664,12 +615,6 @@ channels:
    # (0 or omit for no expiration):
    invite-expiration: 24h
    # channels that new clients will automatically join. this should be used with
    # caution, since traditional IRC users will likely view it as an antifeature.
    # it may be useful in small community networks that have a single "primary" channel:
    #auto-join:
    #    - "#lounge"
 # operator classes:
 # an operator has a single "class" (defining a privilege level), which can include
 # multiple "capabilities" (defining privileged actions they can take). all
@ -820,7 +765,7 @@ lock-file: "ircd.lock"
 # datastore configuration
 datastore:
-    # path to the database file (used to store account and channel registrations):
+    # path to the datastore
    path: ircd.db
    # if the database schema requires an upgrade, `autoupgrade` will attempt to
@ -863,9 +808,6 @@ limits:
    # identlen is the max ident length allowed
    identlen: 20
    # realnamelen is the maximum realname length allowed
    realnamelen: 150
    # channellen is the max channel length allowed
    channellen: 64
@ -885,7 +827,7 @@ limits:
    whowas-entries: 100
    # maximum length of channel lists (beI modes)
-    chan-list-modes: 100
+    chan-list-modes: 60
    # maximum number of messages to accept during registration (prevents
    # DoS / resource exhaustion attacks):
@ -1040,8 +982,7 @@ history:
    # options to control how messages are stored and deleted:
    retention:
-        # allow users to delete their own messages from history,
+        # allow users to delete their own messages from history?
        # and channel operators to delete messages in their channel?
        allow-individual-delete: false
        # if persistent history is enabled, create additional index tables,
@ -1067,9 +1008,3 @@ history:
 # whether to allow customization of the config at runtime using environment variables,
 # e.g., ERGO__SERVER__MAX_SENDQ=128k. see the manual for more details.
 allow-environment-overrides: true
 cef:
    imagor:
        url: "https://example.com/embed/"
        secret: "secretgoeshere"
    redis: "redis://user:password@localhost:6379/0?protocol=3"
--- a/distrib/apparmor/ergo
+++ b/distrib/apparmor/ergo
@ -1,34 +0,0 @@
 include <tunables/global>
 # Georg Pfuetzenreuter <georg+ergo@lysergic.dev>
 # AppArmor confinement for ergo and ergo-ldap
 profile ergo /usr/bin/ergo {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice>
  /etc/ergo/ircd.{motd,yaml} r,
  /etc/ssl/irc/{crt,key} r,
  /etc/ssl/ergo/{crt,key} r,
  /usr/bin/ergo mr,
  /proc/sys/net/core/somaxconn r,
  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  /usr/share/ergo/languages/{,*.lang.json,*.yaml} r,
  owner /run/ergo/ircd.lock rwk,
  owner /var/lib/ergo/ircd.db rw,
  include if exists <local/ergo>
 }
 profile ergo-ldap /usr/bin/ergo-ldap {
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  /usr/bin/ergo-ldap rm,
  /etc/ergo/ldap.yaml r,
  include if exists <local/ergo-ldap>
 }
--- a/distrib/docker/README.md
+++ b/distrib/docker/README.md
@ -18,7 +18,7 @@ certificates. To get a working ircd, all you need to do is run the image and
 expose the ports:
 ```shell
-docker run --init --name ergo -d -p 6667:6667 -p 6697:6697 ghcr.io/ergochat/ergo:stable
+docker run --name ergo -d -p 6667:6667 -p 6697:6697 ghcr.io/ergochat/ergo:stable
 ```
 This will start Ergo and listen on ports 6667 (plain text) and 6697 (TLS).
@ -38,11 +38,6 @@ You should see a line similar to:
 Oper username:password is admin:cnn2tm9TP3GeI4vLaEMS
 ```
 We recommend the use of `--init` (`init: true` in docker-compose) to solve an
 edge case involving unreaped zombie processes when Ergo's script API is used
 for authentication or IP validation. For more details, see
 [krallin/tini#8](https://github.com/krallin/tini/issues/8).
 ## Persisting data
 Ergo has a persistent data store, used to keep account details, channel
@ -53,14 +48,14 @@ For example, to create a new docker volume and then mount it:
 ```shell
 docker volume create ergo-data
-docker run --init -d -v ergo-data:/ircd -p 6667:6667 -p 6697:6697 ghcr.io/ergochat/ergo:stable
+docker run -d -v ergo-data:/ircd -p 6667:6667 -p 6697:6697 ghcr.io/ergochat/ergo:stable
 ```
 Or to mount a folder from your host machine:
 ```shell
 mkdir ergo-data
-docker run --init -d -v $(PWD)/ergo-data:/ircd -p 6667:6667 -p 6697:6697 ghcr.io/ergochat/ergo:stable
+docker run -d -v $(PWD)/ergo-data:/ircd -p 6667:6667 -p 6697:6697 ghcr.io/ergochat/ergo:stable
 ```
 ## Customising the config
--- a/distrib/docker/docker-compose.yml
+++ b/distrib/docker/docker-compose.yml
@ -2,7 +2,6 @@ version: "3.8"
 services:
  ergo:
    init: true
    image: ghcr.io/ergochat/ergo:stable
    ports:
      - "6667:6667/tcp"
--- a/docs/MANUAL.md
+++ b/docs/MANUAL.md
@ -60,7 +60,6 @@ _Copyright © Daniel Oaks <daniel@danieloaks.net>, Shivaram Lingamneni <slingamn
    - [Migrating from Anope or Atheme](#migrating-from-anope-or-atheme)
    - [HOPM](#hopm)
    - [Tor](#tor)
    - [I2P](#i2p)
    - [ZNC](#znc)
    - [External authentication systems](#external-authentication-systems)
    - [DNSBLs and other IP checking systems](#dnsbls-and-other-ip-checking-systems)
@ -183,8 +182,8 @@ The recommended way to operate ergo as a service on Linux is via systemd. This p
 The only major distribution that currently packages Ergo is Arch Linux; the aforementioned AUR package includes a systemd unit file. However, it should be fairly straightforward to set up a productionized Ergo on any Linux distribution. Here's a quickstart guide for Debian/Ubuntu:
-1. Create a dedicated, unprivileged role user who will own the ergo process and all its associated files: `adduser --system --group --home=/home/ergo ergo`. This user now has a home directory at `/home/ergo`. To prevent other users from viewing Ergo's configuration file, database, and certificates, restrict the permissions on the home directory: `chmod 0700 /home/ergo`.
+1. Create a dedicated, unprivileged role user who will own the ergo process and all its associated files: `adduser --system --group ergo`. This user now has a home directory at `/home/ergo`. To prevent other users from viewing Ergo's configuration file, database, and certificates, restrict the permissions on the home directory: `chmod 0700 /home/ergo`.
-1. Copy the executable binary `ergo`, the config file `ircd.yaml`, the database `ircd.db`, and the self-signed TLS certificate (`fullchain.pem` and `privkey.pem`) to `/home/ergo`. (If you don't have an `ircd.db`, it will be auto-created as `/home/ergo/ircd.db` on first launch.) Ensure that they are all owned by the new ergo role user: `sudo chown -R ergo:ergo /home/ergo`. Ensure that the configuration file logs to stderr.
+1. Copy the executable binary `ergo`, the config file `ircd.yaml`, the database `ircd.db`, and the self-signed TLS certificate (`fullchain.pem` and `privkey.pem`) to `/home/ergo`. (If you don't have an `ircd.db`, it will be auto-created as `/home/ergo/ircd.db` on first launch.) Ensure that they are all owned by the new ergo role user: `sudo chown ergo:ergo /home/ergo/*`. Ensure that the configuration file logs to stderr.
 1. Install our example [ergo.service](https://github.com/ergochat/ergo/blob/stable/distrib/systemd/ergo.service) file to `/etc/systemd/system/ergo.service`.
 1. Enable and start the new service with the following commands:
    1. `systemctl daemon-reload`
@ -624,8 +623,6 @@ Many clients do not have this support. However, you can designate port 6667 as a
 Ergo supports the use of reverse proxies (such as nginx, or a Kubernetes [LoadBalancer](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer)) that sit between it and the client. In these deployments, the [PROXY protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) is used to pass the end user's IP through to Ergo. These proxies can be used to terminate TLS externally to Ergo, e.g., if you need to support versions of the TLS protocol that are not implemented natively by Go, or if you want to consolidate your certificate management into a single nginx instance.
 ### IRC Sockets
 The first step is to add the reverse proxy's IP to `proxy-allowed-from` and `ip-limits.exempted`. (Use `localhost` to exempt all loopback IPs and Unix domain sockets.)
 After that, there are two possibilities:
@ -641,10 +638,6 @@ After that, there are two possibilities:
            proxy: true
 ```
 ### Websockets through HTTP reverse proxies
 Ergo will honor the `X-Forwarded-For` headers on incoming websocket connections, if the peer IP address appears in `proxy-allowed-from`. For these connections, set `proxy: false`, or omit the `proxy` option.
 ## Client certificates
@ -1034,14 +1027,6 @@ ProxyPass /webirc http://127.0.0.1:8067 upgrade=websocket
 ProxyPassReverse /webirc http://127.0.0.1:8067
 ```
 On Caddy, websocket proxying can be configured with:
 ```
 handle_path /webirc {
  reverse_proxy 127.0.0.1:8067
 }
 ```
 ## Migrating from Anope or Atheme
 You can import user and channel registrations from an Anope or Atheme database into a new Ergo database (not all features are supported). Use the following steps:
@ -1143,16 +1128,6 @@ Instructions on how client software should connect to an .onion address are outs
 1. [Hexchat](https://hexchat.github.io/) is known to support .onion addresses, once it has been configured to use a local Tor daemon as a SOCKS proxy (Settings -> Preferences -> Network Setup -> Proxy Server).
 1. Pidgin should work with [torsocks](https://trac.torproject.org/projects/tor/wiki/doc/torsocks).
 ## I2P
 I2P is an anonymizing overlay network similar to Tor. The recommended configuration for I2P is to treat it similarly to Tor: have the i2pd reverse proxy its connections to an Ergo listener configured with `tor: true`. See the [i2pd configuration guide](https://i2pd.readthedocs.io/en/latest/tutorials/irc/#running-anonymous-irc-server) for more details; note that the instructions to separate I2P traffic from other localhost traffic are unnecessary for a `tor: true` listener.
 I2P can additionally expose an opaque client identifier (the user's "b32 address"). Exposing this identifier via Ergo is not recommended, but if you wish to do so, you can use the following procedure:
 1. Enable WEBIRC support in the i2pd configuration by adding the `webircpassword` key to the [i2pd server block](https://i2pd.readthedocs.io/en/latest/tutorials/irc/#running-anonymous-irc-server)
 1. Remove `tor: true` from the relevant Ergo listener config
 1. Enable WEBIRC support in Ergo (starting from the default/recommended configuration, find the existing webirc block, delete the `certfp` configuration, change `password` to use the output of `ergo genpasswd` on the password you configured i2pd to send, and set `accept-hostname: true`)
 1. To prevent Ergo from overwriting the hostname as passed from i2pd, set the following options: `server.ip-cloaking.enabled: false` and `server.lookup-hostnames: false`. (There is currently no support for applying cloaks to regular IP traffic but displaying the b32 address for I2P traffic).
 ## ZNC
--- a/ergo.go
+++ b/ergo.go
@ -7,7 +7,6 @@ package main
 import (
 	"bufio"
 	_ "embed"
 	"fmt"
 	"log"
 	"os"
@ -15,7 +14,7 @@ import (
 	"syscall"
 	"golang.org/x/crypto/bcrypt"
-	"golang.org/x/term"
+	"golang.org/x/crypto/ssh/terminal"
 	"github.com/docopt/docopt-go"
 	"github.com/ergochat/ergo/irc"
@ -27,16 +26,19 @@ import (
 var commit = ""  // git hash
 var version = "" // tagged version
 //go:embed default.yaml
 var defaultConfig string
 // get a password from stdin from the user
-func getPasswordFromTerminal() string {
+func getPassword() string {
-	bytePassword, err := term.ReadPassword(int(syscall.Stdin))
+	fd := int(os.Stdin.Fd())
 	if terminal.IsTerminal(fd) {
 		bytePassword, err := terminal.ReadPassword(int(syscall.Stdin))
 		if err != nil {
 			log.Fatal("Error reading password:", err.Error())
 		}
 		return string(bytePassword)
 	}
 	reader := bufio.NewReader(os.Stdin)
 	text, _ := reader.ReadString('\n')
 	return strings.TrimSpace(text)
 }
 func fileDoesNotExist(file string) bool {
@ -98,7 +100,6 @@ Usage:
 	ergo importdb <database.json> [--conf <filename>] [--quiet]
 	ergo genpasswd [--conf <filename>] [--quiet]
 	ergo mkcerts [--conf <filename>] [--quiet]
 	ergo defaultconfig
 	ergo run [--conf <filename>] [--quiet] [--smoke]
 	ergo -h | --help
 	ergo --version
@ -113,20 +114,19 @@ Options:
 	// don't require a config file for genpasswd
 	if arguments["genpasswd"].(bool) {
 		var password string
-		if term.IsTerminal(int(syscall.Stdin)) {
+		fd := int(os.Stdin.Fd())
 		if terminal.IsTerminal(fd) {
 			fmt.Print("Enter Password: ")
-			password = getPasswordFromTerminal()
+			password = getPassword()
 			fmt.Print("\n")
 			fmt.Print("Reenter Password: ")
-			confirm := getPasswordFromTerminal()
+			confirm := getPassword()
 			fmt.Print("\n")
 			if confirm != password {
 				log.Fatal("passwords do not match")
 			}
 		} else {
-			reader := bufio.NewReader(os.Stdin)
+			password = getPassword()
 			text, _ := reader.ReadString('\n')
 			password = strings.TrimSpace(text)
 		}
 		if err := irc.ValidatePassphrase(password); err != nil {
 			log.Printf("WARNING: this password contains characters that may cause problems with your IRC client software.\n")
@ -136,10 +136,10 @@ Options:
 		if err != nil {
 			log.Fatal("encoding error:", err.Error())
 		}
-		fmt.Println(string(hash))
+		fmt.Print(string(hash))
-		return
+		if terminal.IsTerminal(fd) {
-	} else if arguments["defaultconfig"].(bool) {
+			fmt.Println()
-		fmt.Print(defaultConfig)
+		}
 		return
 	} else if arguments["mkcerts"].(bool) {
 		doMkcerts(arguments["--conf"].(string), arguments["--quiet"].(bool))
--- a/gencapdefs.py
+++ b/gencapdefs.py
@ -87,12 +87,6 @@ CAPDEFS = [
        url="https://gist.github.com/DanielOaks/8126122f74b26012a3de37db80e4e0c6",
        standard="proposed IRCv3",
    ),
    CapDef(
        identifier="MessageRedaction",
        name="draft/message-redaction",
        url="https://github.com/progval/ircv3-specifications/blob/redaction/extensions/message-redaction.md",
        standard="proposed IRCv3",
    ),
    CapDef(
        identifier="MessageTags",
        name="message-tags",
@ -213,18 +207,6 @@ CAPDEFS = [
        url="https://github.com/ircv3/ircv3-specifications/pull/506",
        standard="IRCv3",
    ),
   CapDef(
        identifier="NoImplicitNames",
        name="draft/no-implicit-names",
        url="https://github.com/ircv3/ircv3-specifications/pull/527",
        standard="proposed IRCv3",
    ),
   CapDef(
        identifier="ExtendedISupport",
        name="draft/extended-isupport",
        url="https://github.com/ircv3/ircv3-specifications/pull/543",
        standard="proposed IRCv3",
    ),
 ]
 def validate_defs():
--- a/go.mod
+++ b/go.mod
@ -1,39 +1,33 @@
 module github.com/ergochat/ergo
-go 1.23
+go 1.20
 require (
 	code.cloudfoundry.org/bytefmt v0.0.0-20200131002437-cf55d5288a48
 	github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962
 	github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815
 	github.com/ergochat/confusables v0.0.0-20201108231250-4ab98ab61fb1
-	github.com/ergochat/go-ident v0.0.0-20230911071154-8c30606d6881
+	github.com/ergochat/go-ident v0.0.0-20200511222032-830550b1d775
-	github.com/ergochat/irc-go v0.5.0-rc2
+	github.com/ergochat/irc-go v0.2.0
 	github.com/go-sql-driver/mysql v1.7.0
 	github.com/go-test/deep v1.0.6 // indirect
-	github.com/gofrs/flock v0.8.1
+	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/gorilla/websocket v1.4.2
 	github.com/okzk/sdnotify v0.0.0-20180710141335-d9becc38acbd
 	github.com/onsi/ginkgo v1.12.0 // indirect
 	github.com/onsi/gomega v1.9.0 // indirect
-	github.com/tidwall/buntdb v1.3.1
+	github.com/stretchr/testify v1.4.0 // indirect
 	github.com/tidwall/buntdb v1.2.10
 	github.com/toorop/go-dkim v0.0.0-20201103131630-e1cd1a0a5208
 	github.com/xdg-go/scram v1.0.2
-	golang.org/x/crypto v0.25.0
+	golang.org/x/crypto v0.5.0
-	golang.org/x/term v0.22.0
+	golang.org/x/text v0.6.0
 	golang.org/x/text v0.16.0
 	gopkg.in/yaml.v2 v2.4.0
 )
-require (
+require github.com/gofrs/flock v0.8.1
 	github.com/cshum/imagor v1.4.13
 	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/redis/go-redis/v9 v9.6.1
 )
 require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/tidwall/btree v1.4.2 // indirect
 	github.com/tidwall/gjson v1.14.3 // indirect
 	github.com/tidwall/grect v0.1.4 // indirect
@ -42,7 +36,8 @@ require (
 	github.com/tidwall/rtred v0.1.2 // indirect
 	github.com/tidwall/tinyqueue v0.1.1 // indirect
 	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
-	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/sys v0.4.0 // indirect
 	golang.org/x/term v0.4.0 // indirect
 )
 replace github.com/gorilla/websocket => github.com/ergochat/websocket v1.4.2-oragono1
--- a/go.sum
+++ b/go.sum
@ -2,28 +2,16 @@ code.cloudfoundry.org/bytefmt v0.0.0-20200131002437-cf55d5288a48 h1:/EMHruHCFXR9
 code.cloudfoundry.org/bytefmt v0.0.0-20200131002437-cf55d5288a48/go.mod h1:wN/zk7mhREp/oviagqUXY3EwuHhWyOvAdsn5Y4CzOrc=
 github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962 h1:KeNholpO2xKjgaaSyd+DyQRrsQjhbSeS7qe4nEw8aQw=
 github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962/go.mod h1:kC29dT1vFpj7py2OvG1khBdQpo3kInWP+6QipLbdngo=
-github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
-github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdbAV9g4c=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
 github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cshum/imagor v1.4.13 h1:BFcSpsTUOJj+Wv5SzDeXa8bhsT/Ehw7EcrFD0UTdpmU=
 github.com/cshum/imagor v1.4.13/go.mod h1:LHxXgks6Y06GzEHitnlO8vcD5gznxIHWPdvGsnlGpMo=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815 h1:bWDMxwH3px2JBh6AyO7hdCn/PkvCZXii8TGj7sbtEbQ=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/ergochat/confusables v0.0.0-20201108231250-4ab98ab61fb1 h1:WLHTOodthVyv5NvYLIvWl112kSFv5IInKKrRN2qpons=
 github.com/ergochat/confusables v0.0.0-20201108231250-4ab98ab61fb1/go.mod h1:mov+uh1DPWsltdQnOdzn08UO9GsJ3MEvhtu0Ci37fdk=
-github.com/ergochat/go-ident v0.0.0-20230911071154-8c30606d6881 h1:+J5m88nvybxB5AnBVGzTXM/yHVytt48rXBGcJGzSbms=
+github.com/ergochat/go-ident v0.0.0-20200511222032-830550b1d775 h1:QSJIdpr3HOzJDPwxT7hp7WbjoZcS+5GqVvsBscqChk0=
-github.com/ergochat/go-ident v0.0.0-20230911071154-8c30606d6881/go.mod h1:ASYJtQujNitna6cVHsNQTGrfWvMPJ5Sa2lZlmsH65uM=
+github.com/ergochat/go-ident v0.0.0-20200511222032-830550b1d775/go.mod h1:d2qvgjD0TvGNSvUs+mZgX090RiJlrzUYW6vtANGOy3A=
-github.com/ergochat/irc-go v0.5.0-rc1 h1:kFoIHExoNFQ2CV+iShAVna/H4xrXQB4t4jK5Sep2j9k=
+github.com/ergochat/irc-go v0.2.0 h1:3vHdy4c56UTY6+/rTBrQc1fmt32N5G8PrEZacJDOr+E=
-github.com/ergochat/irc-go v0.5.0-rc1/go.mod h1:2vi7KNpIPWnReB5hmLpl92eMywQvuIeIIGdt/FQCph0=
+github.com/ergochat/irc-go v0.2.0/go.mod h1:2vi7KNpIPWnReB5hmLpl92eMywQvuIeIIGdt/FQCph0=
 github.com/ergochat/irc-go v0.5.0-rc2 h1:VuSQJF5K4hWvYSzGa4b8vgL6kzw8HF6LSOejE+RWpAo=
 github.com/ergochat/irc-go v0.5.0-rc2/go.mod h1:2vi7KNpIPWnReB5hmLpl92eMywQvuIeIIGdt/FQCph0=
 github.com/ergochat/scram v1.0.2-ergo1 h1:2bYXiRFQH636pT0msOG39fmEYl4Eq+OuutcyDsCix/g=
 github.com/ergochat/scram v1.0.2-ergo1/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs=
 github.com/ergochat/websocket v1.4.2-oragono1 h1:plMUunFBM6UoSCIYCKKclTdy/TkkHfUslhOfJQzfueM=
@ -35,8 +23,8 @@ github.com/go-test/deep v1.0.6 h1:UHSEyLZUwX9Qoi99vVwvewiMC8mM2bf7XEM2nqvzEn8=
 github.com/go-test/deep v1.0.6/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8=
 github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw=
 github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
-github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
-github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
@ -50,23 +38,20 @@ github.com/onsi/gomega v1.9.0 h1:R1uwffexN6Pr340GtYRIdZmAiN4J+iw6WG4wog1DUXg=
 github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/redis/go-redis/v9 v9.6.1 h1:HHDteefn6ZkTtY5fGUE8tj8uy85AHk6zP7CpzIAM0y4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/redis/go-redis/v9 v9.6.1/go.mod h1:0C0c6ycQsdpVNQpxb1njEQIqkx5UcsM8FJCQLgE9+RA=
+github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tidwall/assert v0.1.0 h1:aWcKyRBUAdLoVebxo95N7+YZVTFF/ASTr7BN4sLP6XI=
 github.com/tidwall/assert v0.1.0/go.mod h1:QLYtGyeqse53vuELQheYl9dngGCJQ+mTtlxcktb+Kj8=
 github.com/tidwall/btree v1.4.2 h1:PpkaieETJMUxYNADsjgtNRcERX7mGc/GP2zp/r5FM3g=
 github.com/tidwall/btree v1.4.2/go.mod h1:LGm8L/DZjPLmeWGjv5kFrY8dL4uVhMmzmmLYmsObdKE=
-github.com/tidwall/buntdb v1.3.1 h1:HKoDF01/aBhl9RjYtbaLnvX9/OuenwvQiC3OP1CcL4o=
+github.com/tidwall/buntdb v1.2.10 h1:U/ebfkmYPBnyiNZIirUiWFcxA/mgzjbKlyPynFsPtyM=
-github.com/tidwall/buntdb v1.3.1/go.mod h1:lZZrZUWzlyDJKlLQ6DKAy53LnG7m5kHyrEHvvcDmBpU=
+github.com/tidwall/buntdb v1.2.10/go.mod h1:lZZrZUWzlyDJKlLQ6DKAy53LnG7m5kHyrEHvvcDmBpU=
 github.com/tidwall/gjson v1.12.1/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/gjson v1.14.3 h1:9jvXn7olKEHU1S9vwoMGliaT8jq1vJ7IH/n9zD9Dnlw=
 github.com/tidwall/gjson v1.14.3/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/grect v0.1.4 h1:dA3oIgNgWdSspFzn1kS4S/RDpZFLrIxAZOdJKjYapOg=
 github.com/tidwall/grect v0.1.4/go.mod h1:9FBsaYRaR0Tcy4UwefBX/UDcDcDy9V5jUcxHzv2jd5Q=
 github.com/tidwall/lotsa v1.0.2 h1:dNVBH5MErdaQ/xd9s769R31/n2dXavsQ0Yf4TMEHHw8=
 github.com/tidwall/lotsa v1.0.2/go.mod h1:X6NiU+4yHA3fE3Puvpnn1XMDrFZrE9JO2/w+UMuqgR8=
 github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
 github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
 github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
@ -81,22 +66,21 @@ github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
 github.com/xdg-go/stringprep v1.0.2 h1:6iq84/ryjjeRmMJwxutI51F2GIPlP5BfTvXHeYjyhBc=
 github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM=
-golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.5.0 h1:U/0M97KRkSFvyD/3FSmdP5W5swImpNgle/EHFhOsQPE=
-golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
+golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
+golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw=
 golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.4.0 h1:Zr2JFtRQNX3BCZ8YtxRE9hNJYC8J6I1MVbMg6owUp18=
-golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
+golang.org/x/term v0.4.0 h1:O7UWfv5+A2qiuulQk30kVinPoMtoIPeVaKLEgLpVkvg=
-golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
+golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.6.0 h1:3XmdazWV+ubf7QgHSTWeykHOci5oeekaGJBLkrkaw4k=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@ -106,8 +90,7 @@ gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/irc/accounts.go
+++ b/irc/accounts.go
@ -4,7 +4,6 @@
 package irc
 import (
 	"context"
 	"crypto/rand"
 	"crypto/x509"
 	"encoding/json"
@ -24,7 +23,6 @@ import (
 	"github.com/ergochat/ergo/irc/email"
 	"github.com/ergochat/ergo/irc/migrations"
 	"github.com/ergochat/ergo/irc/modes"
 	"github.com/ergochat/ergo/irc/oauth2"
 	"github.com/ergochat/ergo/irc/passwd"
 	"github.com/ergochat/ergo/irc/utils"
 )
@ -1429,74 +1427,6 @@ func (am *AccountManager) AuthenticateByPassphrase(client *Client, accountName s
 	return err
 }
 func (am *AccountManager) AuthenticateByBearerToken(client *Client, tokenType, token string) (err error) {
 	switch tokenType {
 	case "oauth2":
 		return am.AuthenticateByOAuthBearer(client, oauth2.OAuthBearerOptions{Token: token})
 	case "jwt":
 		return am.AuthenticateByJWT(client, token)
 	default:
 		return errInvalidBearerTokenType
 	}
 }
 func (am *AccountManager) AuthenticateByOAuthBearer(client *Client, opts oauth2.OAuthBearerOptions) (err error) {
 	config := am.server.Config()
 	if !config.Accounts.OAuth2.Enabled {
 		return errFeatureDisabled
 	}
 	if throttled, remainingTime := client.checkLoginThrottle(); throttled {
 		return &ThrottleError{remainingTime}
 	}
 	var username string
 	if config.Accounts.AuthScript.Enabled && config.Accounts.OAuth2.AuthScript {
 		username, err = am.authenticateByOAuthBearerScript(client, config, opts)
 	} else {
 		username, err = config.Accounts.OAuth2.Introspect(context.Background(), opts.Token)
 	}
 	if err != nil {
 		return err
 	}
 	account, err := am.loadWithAutocreation(username, config.Accounts.OAuth2.Autocreate)
 	if err == nil {
 		am.Login(client, account)
 	}
 	return err
 }
 func (am *AccountManager) AuthenticateByJWT(client *Client, token string) (err error) {
 	config := am.server.Config()
 	// enabled check is encapsulated here:
 	accountName, err := config.Accounts.JWTAuth.Validate(token)
 	if err != nil {
 		am.server.logger.Debug("accounts", "invalid JWT token", err.Error())
 		return errAccountInvalidCredentials
 	}
 	account, err := am.loadWithAutocreation(accountName, config.Accounts.JWTAuth.Autocreate)
 	if err == nil {
 		am.Login(client, account)
 	}
 	return err
 }
 func (am *AccountManager) authenticateByOAuthBearerScript(client *Client, config *Config, opts oauth2.OAuthBearerOptions) (username string, err error) {
 	output, err := CheckAuthScript(am.server.semaphores.AuthScript, config.Accounts.AuthScript.ScriptConfig,
 		AuthScriptInput{OAuthBearer: &opts, IP: client.IP().String()})
 	if err != nil {
 		am.server.logger.Error("internal", "failed shell auth invocation", err.Error())
 		return "", oauth2.ErrInvalidToken
 	} else if output.Success {
 		return output.AccountName, nil
 	} else {
 		return "", oauth2.ErrInvalidToken
 	}
 }
 // AllNicks returns the uncasefolded nicknames for all accounts, including additional (grouped) nicks.
 func (am *AccountManager) AllNicks() (result []string) {
 	accountNamePrefix := fmt.Sprintf(keyAccountName, "")
@ -2009,11 +1939,9 @@ func (am *AccountManager) AuthenticateByCertificate(client *Client, certfp strin
 		return err
 	}
-	if authzid != "" {
+	if authzid != "" && authzid != account {
 		if cfAuthzid, err := CasefoldName(authzid); err != nil || cfAuthzid != account {
 		return errAuthzidAuthcidMismatch
 	}
 	}
 	// ok, we found an account corresponding to their certificate
 	clientAccount, err = am.LoadAccount(account)
@ -2217,8 +2145,6 @@ var (
 		"PLAIN":         authPlainHandler,
 		"EXTERNAL":      authExternalHandler,
 		"SCRAM-SHA-256": authScramHandler,
 		"OAUTHBEARER":   authOauthBearerHandler,
 		"IRCV3BEARER":   authIRCv3BearerHandler,
 	}
 )
--- a/irc/authscript.go
+++ b/irc/authscript.go
@ -10,7 +10,6 @@ import (
 	"fmt"
 	"net"
 	"github.com/ergochat/ergo/irc/oauth2"
 	"github.com/ergochat/ergo/irc/utils"
 )
@ -22,7 +21,6 @@ type AuthScriptInput struct {
 	PeerCerts   []string `json:"peerCerts,omitempty"`
 	peerCerts   []*x509.Certificate
 	IP          string `json:"ip,omitempty"`
 	OAuthBearer *oauth2.OAuthBearerOptions `json:"oauth2,omitempty"`
 }
 type AuthScriptOutput struct {
--- a/irc/caps/constants.go
+++ b/irc/caps/constants.go
@ -62,13 +62,10 @@ const (
 	RelaymsgTagName = "draft/relaymsg"
 	// BOT mode: https://ircv3.net/specs/extensions/bot-mode
 	BotTagName = "bot"
 	// https://ircv3.net/specs/extensions/chathistory
 	ChathistoryTargetsBatchType = "draft/chathistory-targets"
 	ExtendedISupportBatchType   = "draft/extended-isupport"
 )
 func init() {
-	nameToCapability = make(map[string]Capability, numCapabs)
+	nameToCapability = make(map[string]Capability)
 	for capab, name := range capabilityNames {
 		nameToCapability[name] = Capability(capab)
 	}
--- a/irc/caps/defs.go
+++ b/irc/caps/defs.go
@ -7,9 +7,9 @@ package caps
 const (
 	// number of recognized capabilities:
-	numCapabs = 36
+	numCapabs = 32
 	// length of the uint32 array that represents the bitset:
-	bitsetLen = 2
+	bitsetLen = 1
 )
 const (
@ -53,26 +53,14 @@ const (
 	// https://github.com/ircv3/ircv3-specifications/pull/362
 	EventPlayback Capability = iota
 	// ExtendedISupport is the proposed IRCv3 capability named "draft/extended-isupport":
 	// https://github.com/ircv3/ircv3-specifications/pull/543
 	ExtendedISupport Capability = iota
 	// Languages is the proposed IRCv3 capability named "draft/languages":
 	// https://gist.github.com/DanielOaks/8126122f74b26012a3de37db80e4e0c6
 	Languages Capability = iota
 	// MessageRedaction is the proposed IRCv3 capability named "draft/message-redaction":
 	// https://github.com/progval/ircv3-specifications/blob/redaction/extensions/message-redaction.md
 	MessageRedaction Capability = iota
 	// Multiline is the proposed IRCv3 capability named "draft/multiline":
 	// https://github.com/ircv3/ircv3-specifications/pull/398
 	Multiline Capability = iota
 	// NoImplicitNames is the proposed IRCv3 capability named "draft/no-implicit-names":
 	// https://github.com/ircv3/ircv3-specifications/pull/527
 	NoImplicitNames Capability = iota
 	// Persistence is the proposed IRCv3 capability named "draft/persistence":
 	// https://github.com/ircv3/ircv3-specifications/pull/503
 	Persistence Capability = iota
@ -152,8 +140,6 @@ const (
 	// ZNCSelfMessage is the ZNC vendor capability named "znc.in/self-message":
 	// https://wiki.znc.in/Query_buffers
 	ZNCSelfMessage Capability = iota
 	ExtendedNames Capability = iota
 )
 // `capabilityNames[capab]` is the string name of the capability `capab`
@ -169,11 +155,8 @@ var (
 		"draft/channel-rename",
 		"draft/chathistory",
 		"draft/event-playback",
 		"draft/extended-isupport",
 		"draft/languages",
 		"draft/message-redaction",
 		"draft/multiline",
 		"draft/no-implicit-names",
 		"draft/persistence",
 		"draft/pre-away",
 		"draft/read-marker",
@ -194,6 +177,5 @@ var (
 		"userhost-in-names",
 		"znc.in/playback",
 		"znc.in/self-message",
 		"cef/extended-names",
 	}
 )
--- a/irc/caps/set.go
+++ b/irc/caps/set.go
@ -102,13 +102,6 @@ func (s *Set) Strings(version Version, values Values, maxLen int) (result []stri
 	var capab Capability
 	asSlice := s[:]
 	for capab = 0; capab < numCapabs; capab++ {
 		// XXX clients that only support CAP LS 301 cannot handle multiline
 		// responses. omit some CAPs in this case, forcing the response to fit on
 		// a single line. this is technically buggy for CAP LIST (as opposed to LS)
 		// but it shouldn't matter
 		if version < Cap302 && !isAllowed301(capab) {
 			continue
 		}
 		// skip any capabilities that are not enabled
 		if !utils.BitsetGet(asSlice, uint(capab)) {
 			continue
@ -129,15 +122,3 @@ func (s *Set) Strings(version Version, values Values, maxLen int) (result []stri
 	}
 	return
 }
 // this is a fixed whitelist of caps that are eligible for display in CAP LS 301
 func isAllowed301(capab Capability) bool {
 	switch capab {
 	case AccountNotify, AccountTag, AwayNotify, Batch, ChgHost, Chathistory, EventPlayback,
 		Relaymsg, EchoMessage, Nope, ExtendedJoin, InviteNotify, LabeledResponse, MessageTags,
 		MultiPrefix, SASL, ServerTime, SetName, STS, UserhostInNames, ZNCSelfMessage, ZNCPlayback:
 		return true
 	default:
 		return false
 	}
 }
--- a/irc/caps/set_test.go
+++ b/irc/caps/set_test.go
@ -3,11 +3,8 @@
 package caps
-import (
+import "testing"
-	"fmt"
+import "reflect"
 	"reflect"
 	"testing"
 )
 func TestSets(t *testing.T) {
 	s1 := NewSet()
@ -63,19 +60,6 @@ func TestSets(t *testing.T) {
 	}
 }
 func assertEqual(found, expected interface{}) {
 	if !reflect.DeepEqual(found, expected) {
 		panic(fmt.Sprintf("found %#v, expected %#v", found, expected))
 	}
 }
 func Test301WhitelistNotRespectedFor302(t *testing.T) {
 	s1 := NewSet()
 	s1.Enable(AccountTag, EchoMessage, StandardReplies)
 	assertEqual(s1.Strings(Cap301, nil, 0), []string{"account-tag echo-message"})
 	assertEqual(s1.Strings(Cap302, nil, 0), []string{"account-tag echo-message standard-replies"})
 }
 func TestSubtract(t *testing.T) {
 	s1 := NewSet(AccountTag, EchoMessage, UserhostInNames, ServerTime)
--- a/irc/cef.go
+++ b/irc/cef.go
@ -1,194 +0,0 @@
 package irc
 import (
 	"context"
 	"crypto/sha256"
 	"encoding/json"
 	"fmt"
 	"github.com/cshum/imagor/imagorpath"
 	"github.com/ergochat/ergo/irc/caps"
 	"github.com/ergochat/irc-go/ircmsg"
 	"net/http"
 	"regexp"
 	"strings"
 	"time"
 )
 var ctx = context.Background()
 func (channel *Channel) RedisBroadcast(message ...string) {
 	if channel.server.redis == nil {
 		return
 	}
 	err := channel.server.redis.Publish(ctx, "channel."+channel.NameCasefolded(), strings.Join(message, " ")).Err()
 	if err != nil {
 		fmt.Printf("Channel broadcast error: %v", err)
 	}
 }
 func (client *Client) RedisBroadcast(message ...string) {
 	err := client.server.redis.Publish(ctx, "user."+client.NickCasefolded(), strings.Join(message, " ")).Err()
 	if err != nil {
 		fmt.Printf("User broadcast error: %v", err)
 	}
 }
 func (channel *Channel) Broadcast(command string, params ...string) {
 	channel.BroadcastFrom(channel.server.name, command, params...)
 }
 func (channel *Channel) BroadcastFrom(prefix string, command string, params ...string) {
 	for _, member := range channel.Members() {
 		for _, session := range member.Sessions() {
 			session.Send(nil, prefix, command, params...)
 		}
 	}
 }
 // ChannelSub Actions and info centering around channels
 func (server *Server) ChannelSub() {
 	pubsub := server.redis.PSubscribe(ctx, "channel.*")
 	defer pubsub.Close()
 	ch := pubsub.Channel()
 	for msg := range ch {
 		server.logger.Info("RedisMessage", msg.Channel, msg.Payload)
 		line := strings.Split(msg.Payload, " ")
 		channelName := strings.SplitN(msg.Channel, ".", 2)[1]
 		channel := server.channels.Get(channelName)
 		if len(line) == 0 {
 			println("Empty string dumped into ", msg.Channel, " channel")
 		}
 		if channel == nil {
 			server.logger.Warning("RedisMessage", "Unknown channel")
 			continue
 		}
 		switch line[0] {
 		case "VOICEPART":
 			channel.Broadcast("VOICEPART", channelName, line[1])
 		case "VOICESTATE":
 			channel.Broadcast("VOICESTATE", channelName, line[1], line[2], line[3])
 		case "BROADCASTTO":
 			for _, person := range channel.Members() {
 				person.Send(nil, server.name, line[1], line[2:]...)
 			}
 		}
 	}
 }
 // UserSub Handles things pertaining to users
 func (server *Server) UserSub() {
 	pubsub := server.redis.PSubscribe(ctx, "user.*")
 	defer pubsub.Close()
 	ch := pubsub.Channel()
 	for msg := range ch {
 		server.logger.Info("RedisMessage", msg.Channel, msg.Payload)
 		line := strings.Split(msg.Payload, " ")
 		userName := strings.SplitN(msg.Channel, ".", 2)[1]
 		user := server.clients.Get(userName)
 		if len(line) == 0 {
 			println("Empty string dumped into ", msg.Channel, " channel")
 		}
 		switch line[0] {
 		case "FULLYREMOVE":
 			if user != nil {
 				user.destroy(nil)
 				err := server.accounts.Unregister(user.Account(), true)
 				if err != nil {
 					return
 				}
 			}
 			break
 		case "BROADCASTAS":
 			if user != nil {
 				// I'm not too sure what the capability bit is, I think it's just ones that match
 				for friend := range user.Friends(caps.ExtendedNames) {
 					friend.Send(nil, user.NickMaskString(), line[1], line[2:]...)
 				}
 			}
 			break
 		}
 	}
 }
 func startRedis(server *Server) {
 	go server.ChannelSub()
 	go server.UserSub()
 }
 func (server *Server) GenerateImagorSignaturesFromMessage(message *ircmsg.Message) string {
 	line, err := message.Line()
 	if err == nil {
 		return server.GenerateImagorSignatures(line)
 	}
 	return ""
 }
 func (server *Server) GetUrlMime(url string) string {
 	config := server.Config()
 	// hacky, should fix
 	if !strings.Contains(url, "?") {
 		url += "?"
 	}
 	params := imagorpath.Params{
 		Image: url,
 		Meta:  true,
 	}
 	metaPath := imagorpath.Generate(params, imagorpath.NewHMACSigner(sha256.New, 0, config.Cef.Imagor.Secret))
 	client := http.Client{
 		Timeout: 5 * time.Second,
 	}
 	resp, err := client.Get(config.Cef.Imagor.Url + metaPath)
 	if err != nil {
 		println("Failed on the initial get")
 		println(err.Error())
 		return ""
 	}
 	defer resp.Body.Close()
 	var meta map[string]interface{}
 	err = json.NewDecoder(resp.Body).Decode(&meta)
 	if err != nil {
 		println("Failed on the JSON decode")
 		return ""
 	}
 	contentType, valid := meta["format"].(string)
 	if !valid {
 		println("No content type")
 		return ""
 	}
 	return contentType
 }
 var urlRegex = regexp.MustCompile("https?:\\/\\/[\\w-]+(\\.[\\w-]+)+([\\w.,@?^=%&amp;:/~+#-]*[\\w@?^=%&amp;/~+#-])?")
 // Process a message to add Imagor signatures
 func (server *Server) GenerateImagorSignatures(str string) string {
 	urls := urlRegex.FindAllString(str, -1)
 	var sigs []string
 	for _, url := range urls {
 		params := imagorpath.Params{
 			Image:  url,
 			FitIn:  true,
 			Width:  600,
 			Height: 600,
 		}
 		path := imagorpath.Generate(params, imagorpath.NewHMACSigner(sha256.New, 0, server.Config().Cef.Imagor.Secret))
 		signature := path[:strings.IndexByte(path, '/')]
 		contentType := server.GetUrlMime(url)
 		if contentType != "" {
 			sigs = append(sigs, signature+"|"+strings.ReplaceAll(contentType, "/", "_"))
 		} else {
 			sigs = append(sigs, signature)
 		}
 	}
 	if len(sigs) > 0 {
 		return strings.Join(sigs, ",")
 	}
 	return ""
 }
--- a/irc/channel.go
+++ b/irc/channel.go
@ -7,14 +7,13 @@ package irc
 import (
 	"fmt"
 	"maps"
 	"strconv"
 	"strings"
 	"time"
 	"sync"
-	"github.com/ergochat/irc-go/ircmsg"
+	"github.com/ergochat/irc-go/ircutils"
 	"github.com/ergochat/ergo/irc/caps"
 	"github.com/ergochat/ergo/irc/datastore"
@ -159,7 +158,7 @@ func (channel *Channel) ExportRegistration() (info RegisteredChannel) {
 	info.Bans = channel.lists[modes.BanMask].Masks()
 	info.Invites = channel.lists[modes.InviteMask].Masks()
 	info.Excepts = channel.lists[modes.ExceptMask].Masks()
-	info.AccountToUMode = maps.Clone(channel.accountToUMode)
+	info.AccountToUMode = utils.CopyMap(channel.accountToUMode)
 	info.Settings = channel.settings
@ -222,8 +221,6 @@ func (channel *Channel) wakeWriter() {
 // equivalent of Socket.send()
 func (channel *Channel) writeLoop() {
 	defer channel.server.HandlePanic()
 	for {
 		// TODO(#357) check the error value of this and implement timed backoff
 		channel.performWrite(0)
@ -449,10 +446,6 @@ func (channel *Channel) Names(client *Client, rb *ResponseBuffer) {
 	chname := channel.name
 	membersCache, memberDataCache := channel.membersCache, channel.memberDataCache
 	channel.stateMutex.RUnlock()
 	symbol := "=" // https://modern.ircdocs.horse/#rplnamreply-353
 	if channel.flags.HasMode(modes.Secret) {
 		symbol = "@"
 	}
 	isOper := client.HasRoleCapabs("sajoin")
 	respectAuditorium := channel.flags.HasMode(modes.Auditorium) && !isOper &&
 		(!isJoined || clientData.modes.HighestChannelUserMode() == modes.Mode(0))
@ -477,18 +470,12 @@ func (channel *Channel) Names(client *Client, rb *ResponseBuffer) {
 			if respectAuditorium && memberData.modes.HighestChannelUserMode() == modes.Mode(0) {
 				continue
 			}
 			if rb.session.capabilities.Has(caps.ExtendedNames) {
 				away, _ := target.Away()
 				if away {
 					nick = nick + "*"
 				}
 			}
 			tl.AddParts(memberData.modes.Prefixes(isMultiPrefix), nick)
 		}
 	}
 	for _, line := range tl.Lines() {
-		rb.Add(nil, client.server.name, RPL_NAMREPLY, client.nick, symbol, chname, line)
+		rb.Add(nil, client.server.name, RPL_NAMREPLY, client.nick, "=", chname, line)
 	}
 	rb.Add(nil, client.server.name, RPL_ENDOFNAMES, client.nick, chname, client.t("End of NAMES list"))
 }
@ -557,14 +544,11 @@ func (channel *Channel) ClientStatus(client *Client) (present bool, joinTimeSecs
 // helper for persisting channel-user modes for always-on clients;
 // return the channel name and all channel-user modes for a client
-func (channel *Channel) alwaysOnStatus(client *Client) (ok bool, chname string, status alwaysOnChannelStatus) {
+func (channel *Channel) alwaysOnStatus(client *Client) (chname string, status alwaysOnChannelStatus) {
 	channel.stateMutex.RLock()
 	defer channel.stateMutex.RUnlock()
 	chname = channel.name
-	data, ok := channel.members[client]
+	data := channel.members[client]
 	if !ok {
 		return
 	}
 	status.Modes = data.modes.String()
 	status.JoinTime = data.joinTime
 	return
@ -727,9 +711,6 @@ func (channel *Channel) AddHistoryItem(item history.Item, account string) (err e
 	if !itemIsStorable(&item, channel.server.Config()) {
 		return
 	}
 	if item.Target == "" {
 		item.Target = channel.nameCasefolded
 	}
 	status, target, _ := channel.historyStatus(channel.server.Config())
 	if status == HistoryPersistent {
@ -804,8 +785,6 @@ func (channel *Channel) Join(client *Client, key string, isSajoin bool, rb *Resp
 	}
 	client.server.logger.Debug("channels", fmt.Sprintf("%s joined channel %s", details.nick, chname))
 	// I think this is assured to always be a good join point
 	channel.RedisBroadcast("VOICEPOLL")
 	givenMode := func() (givenMode modes.Mode) {
 		channel.joinPartMutex.Lock()
@ -841,9 +820,8 @@ func (channel *Channel) Join(client *Client, key string, isSajoin bool, rb *Resp
 		histItem := history.Item{
 			Type:        history.Join,
 			Nick:        details.nickMask,
-			Account: details.account,
+			AccountName: details.accountName,
 			Message:     message,
 			Target:  channel.NameCasefolded(),
 			IsBot:       isBot,
 		}
 		histItem.Params[0] = details.realname
@ -906,9 +884,7 @@ func (channel *Channel) Join(client *Client, key string, isSajoin bool, rb *Resp
 	if rb.session.client == client {
 		// don't send topic and names for a SAJOIN of a different client
 		channel.SendTopic(client, rb, false)
 		if !rb.session.capabilities.Has(caps.NoImplicitNames) {
 		channel.Names(client, rb)
 		}
 	} else {
 		// ensure that SAJOIN sends a MODE line to the originating client, if applicable
 		if givenMode != 0 {
@ -975,7 +951,7 @@ func (channel *Channel) autoReplayHistory(client *Client, rb *ResponseBuffer, sk
 		}
 	}
 	if 0 < numItems {
-		channel.replayHistoryItems(rb, items, false, "", "", numItems)
+		channel.replayHistoryItems(rb, items, false)
 		rb.Flush(true)
 	}
 }
@ -999,11 +975,8 @@ func (channel *Channel) playJoinForSession(session *Session) {
 		sessionRb.Add(nil, client.server.name, "MARKREAD", chname, client.GetReadMarker(chcfname))
 	}
 	channel.SendTopic(client, sessionRb, false)
 	if !session.capabilities.Has(caps.NoImplicitNames) {
 	channel.Names(client, sessionRb)
 	}
 	sessionRb.Send(false)
 	channel.RedisBroadcast("VOICEPOLL")
 }
 // Part parts the given client from this channel, with the given message.
@ -1057,9 +1030,8 @@ func (channel *Channel) Part(client *Client, message string, rb *ResponseBuffer)
 		channel.AddHistoryItem(history.Item{
 			Type:        history.Part,
 			Nick:        details.nickMask,
-			Account: details.account,
+			AccountName: details.accountName,
 			Message:     splitMessage,
 			Target:  channel.NameCasefolded(),
 			IsBot:       isBot,
 		}, details.account)
 	}
@ -1067,7 +1039,7 @@ func (channel *Channel) Part(client *Client, message string, rb *ResponseBuffer)
 	client.server.logger.Debug("channels", fmt.Sprintf("%s left channel %s", details.nick, chname))
 }
-func (channel *Channel) replayHistoryItems(rb *ResponseBuffer, items []history.Item, chathistoryCommand bool, identifier string, preposition string, limit int) {
+func (channel *Channel) replayHistoryItems(rb *ResponseBuffer, items []history.Item, chathistoryCommand bool) {
 	// send an empty batch if necessary, as per the CHATHISTORY spec
 	chname := channel.Name()
 	client := rb.target
@ -1087,19 +1059,19 @@ func (channel *Channel) replayHistoryItems(rb *ResponseBuffer, items []history.I
 		}
 	}
-	batchID := rb.StartNestedBatch("chathistory", chname, identifier, preposition, strconv.Itoa(limit))
+	batchID := rb.StartNestedHistoryBatch(chname)
 	defer rb.EndNestedBatch(batchID)
 	for _, item := range items {
 		nick := NUHToNick(item.Nick)
 		switch item.Type {
 		case history.Privmsg:
-			rb.AddSplitMessageFromClientWithReactions(item.Nick, item.Account, item.IsBot, item.Tags, "PRIVMSG", chname, item.Message, item.Reactions)
+			rb.AddSplitMessageFromClient(item.Nick, item.AccountName, item.IsBot, item.Tags, "PRIVMSG", chname, item.Message)
 		case history.Notice:
-			rb.AddSplitMessageFromClientWithReactions(item.Nick, item.Account, item.IsBot, item.Tags, "NOTICE", chname, item.Message, item.Reactions)
+			rb.AddSplitMessageFromClient(item.Nick, item.AccountName, item.IsBot, item.Tags, "NOTICE", chname, item.Message)
 		case history.Tagmsg:
 			if eventPlayback {
-				rb.AddSplitMessageFromClient(item.Nick, item.Account, item.IsBot, item.Tags, "TAGMSG", chname, item.Message)
+				rb.AddSplitMessageFromClient(item.Nick, item.AccountName, item.IsBot, item.Tags, "TAGMSG", chname, item.Message)
 			} else if chathistoryCommand {
 				// #1676, we have to send something here or else it breaks pagination
 				rb.AddFromClient(item.Message.Time, history.HistservMungeMsgid(item.Message.Msgid), histservService.prefix, "*", false, nil, "PRIVMSG", chname, fmt.Sprintf(client.t("%s sent a TAGMSG"), nick))
@ -1107,25 +1079,25 @@ func (channel *Channel) replayHistoryItems(rb *ResponseBuffer, items []history.I
 		case history.Join:
 			if eventPlayback {
 				if extendedJoin {
-					rb.AddFromClient(item.Message.Time, item.Message.Msgid, item.Nick, item.Account, item.IsBot, nil, "JOIN", chname, item.Account, item.Params[0])
+					rb.AddFromClient(item.Message.Time, item.Message.Msgid, item.Nick, item.AccountName, item.IsBot, nil, "JOIN", chname, item.AccountName, item.Params[0])
 				} else {
-					rb.AddFromClient(item.Message.Time, item.Message.Msgid, item.Nick, item.Account, item.IsBot, nil, "JOIN", chname)
+					rb.AddFromClient(item.Message.Time, item.Message.Msgid, item.Nick, item.AccountName, item.IsBot, nil, "JOIN", chname)
 				}
 			} else {
 				if !playJoinsAsPrivmsg {
 					continue // #474
 				}
 				var message string
-				if item.Account == "*" {
+				if item.AccountName == "*" {
 					message = fmt.Sprintf(client.t("%s joined the channel"), nick)
 				} else {
-					message = fmt.Sprintf(client.t("%[1]s [account: %[2]s] joined the channel"), nick, item.Account)
+					message = fmt.Sprintf(client.t("%[1]s [account: %[2]s] joined the channel"), nick, item.AccountName)
 				}
 				rb.AddFromClient(item.Message.Time, history.HistservMungeMsgid(item.Message.Msgid), histservService.prefix, "*", false, nil, "PRIVMSG", chname, message)
 			}
 		case history.Part:
 			if eventPlayback {
-				rb.AddFromClient(item.Message.Time, item.Message.Msgid, item.Nick, item.Account, item.IsBot, nil, "PART", chname, item.Message.Message)
+				rb.AddFromClient(item.Message.Time, item.Message.Msgid, item.Nick, item.AccountName, item.IsBot, nil, "PART", chname, item.Message.Message)
 			} else {
 				if !playJoinsAsPrivmsg {
 					continue // #474
@ -1135,14 +1107,14 @@ func (channel *Channel) replayHistoryItems(rb *ResponseBuffer, items []history.I
 			}
 		case history.Kick:
 			if eventPlayback {
-				rb.AddFromClient(item.Message.Time, item.Message.Msgid, item.Nick, item.Account, item.IsBot, nil, "KICK", chname, item.Params[0], item.Message.Message)
+				rb.AddFromClient(item.Message.Time, item.Message.Msgid, item.Nick, item.AccountName, item.IsBot, nil, "KICK", chname, item.Params[0], item.Message.Message)
 			} else {
 				message := fmt.Sprintf(client.t("%[1]s kicked %[2]s (%[3]s)"), nick, item.Params[0], item.Message.Message)
 				rb.AddFromClient(item.Message.Time, history.HistservMungeMsgid(item.Message.Msgid), histservService.prefix, "*", false, nil, "PRIVMSG", chname, message)
 			}
 		case history.Quit:
 			if eventPlayback {
-				rb.AddFromClient(item.Message.Time, item.Message.Msgid, item.Nick, item.Account, item.IsBot, nil, "QUIT", item.Message.Message)
+				rb.AddFromClient(item.Message.Time, item.Message.Msgid, item.Nick, item.AccountName, item.IsBot, nil, "QUIT", item.Message.Message)
 			} else {
 				if !playJoinsAsPrivmsg {
 					continue // #474
@ -1152,14 +1124,14 @@ func (channel *Channel) replayHistoryItems(rb *ResponseBuffer, items []history.I
 			}
 		case history.Nick:
 			if eventPlayback {
-				rb.AddFromClient(item.Message.Time, item.Message.Msgid, item.Nick, item.Account, item.IsBot, nil, "NICK", item.Params[0])
+				rb.AddFromClient(item.Message.Time, item.Message.Msgid, item.Nick, item.AccountName, item.IsBot, nil, "NICK", item.Params[0])
 			} else {
 				message := fmt.Sprintf(client.t("%[1]s changed nick to %[2]s"), nick, item.Params[0])
 				rb.AddFromClient(item.Message.Time, history.HistservMungeMsgid(item.Message.Msgid), histservService.prefix, "*", false, nil, "PRIVMSG", chname, message)
 			}
 		case history.Topic:
 			if eventPlayback {
-				rb.AddFromClient(item.Message.Time, item.Message.Msgid, item.Nick, item.Account, item.IsBot, nil, "TOPIC", chname, item.Message.Message)
+				rb.AddFromClient(item.Message.Time, item.Message.Msgid, item.Nick, item.AccountName, item.IsBot, nil, "TOPIC", chname, item.Message.Message)
 			} else {
 				message := fmt.Sprintf(client.t("%[1]s set the channel topic to: %[2]s"), nick, item.Message.Message)
 				rb.AddFromClient(item.Message.Time, history.HistservMungeMsgid(item.Message.Msgid), histservService.prefix, "*", false, nil, "PRIVMSG", chname, message)
@ -1171,7 +1143,7 @@ func (channel *Channel) replayHistoryItems(rb *ResponseBuffer, items []history.I
 				params[i+1] = pair.Message
 			}
 			if eventPlayback {
-				rb.AddFromClient(item.Message.Time, item.Message.Msgid, item.Nick, item.Account, item.IsBot, nil, "MODE", params...)
+				rb.AddFromClient(item.Message.Time, item.Message.Msgid, item.Nick, item.AccountName, item.IsBot, nil, "MODE", params...)
 			} else {
 				message := fmt.Sprintf(client.t("%[1]s set channel modes: %[2]s"), nick, strings.Join(params[1:], " "))
 				rb.AddFromClient(item.Message.Time, history.HistservMungeMsgid(item.Message.Msgid), histservService.prefix, "*", false, nil, "PRIVMSG", chname, message)
@ -1219,7 +1191,7 @@ func (channel *Channel) SetTopic(client *Client, topic string, rb *ResponseBuffe
 		return
 	}
-	topic = ircmsg.TruncateUTF8Safe(topic, client.server.Config().Limits.TopicLen)
+	topic = ircutils.TruncateUTF8Safe(topic, client.server.Config().Limits.TopicLen)
 	channel.stateMutex.Lock()
 	chname := channel.name
@ -1243,10 +1215,9 @@ func (channel *Channel) SetTopic(client *Client, topic string, rb *ResponseBuffe
 	channel.AddHistoryItem(history.Item{
 		Type:        history.Topic,
 		Nick:        details.nickMask,
-		Account: details.account,
+		AccountName: details.accountName,
 		Message:     message,
 		IsBot:       isBot,
 		Target:  channel.NameCasefolded(),
 	}, details.account)
 	channel.MarkDirty(IncludeTopic)
@ -1257,26 +1228,20 @@ func (channel *Channel) CanSpeak(client *Client) (bool, modes.Mode) {
 	channel.stateMutex.RLock()
 	memberData, hasClient := channel.members[client]
 	channel.stateMutex.RUnlock()
-
+	clientModes := memberData.modes
 	highestMode := func() modes.Mode {
 		if !hasClient {
 			return modes.Mode(0)
 		}
 		return memberData.modes.HighestChannelUserMode()
 	}
 	if !hasClient && channel.flags.HasMode(modes.NoOutside) {
 		// TODO: enforce regular +b bans on -n channels?
 		return false, modes.NoOutside
 	}
-	if channel.isMuted(client) && highestMode() == modes.Mode(0) {
+	if channel.isMuted(client) && clientModes.HighestChannelUserMode() == modes.Mode(0) {
 		return false, modes.BanMask
 	}
-	if channel.flags.HasMode(modes.Moderated) && highestMode() == modes.Mode(0) {
+	if channel.flags.HasMode(modes.Moderated) && clientModes.HighestChannelUserMode() == modes.Mode(0) {
 		return false, modes.Moderated
 	}
 	if channel.flags.HasMode(modes.RegisteredOnlySpeak) && client.Account() == "" &&
-		highestMode() == modes.Mode(0) {
+		clientModes.HighestChannelUserMode() == modes.Mode(0) {
 		return false, modes.RegisteredOnlySpeak
 	}
 	return true, modes.Mode('?')
@ -1335,11 +1300,6 @@ func (channel *Channel) SendSplitMessage(command string, minPrefixMode modes.Mod
 	isBot := client.HasMode(modes.Bot)
 	chname := channel.Name()
 	// STATUSMSG targets are prefixed with the supplied min-prefix, e.g., @#channel
 	if minPrefixMode != modes.Mode(0) {
 		chname = fmt.Sprintf("%s%s", modes.ChannelModePrefixes[minPrefixMode], chname)
 	}
 	if !client.server.Config().Server.Compatibility.allowTruncation {
 		if !validateSplitMessageLen(histType, details.nickMask, chname, message) {
 			rb.Add(nil, client.server.name, ERR_INPUTTOOLONG, details.nick, client.t("Line too long to be relayed without truncation"))
@ -1347,6 +1307,11 @@ func (channel *Channel) SendSplitMessage(command string, minPrefixMode modes.Mod
 		}
 	}
 	// STATUSMSG targets are prefixed with the supplied min-prefix, e.g., @#channel
 	if minPrefixMode != modes.Mode(0) {
 		chname = fmt.Sprintf("%s%s", modes.ChannelModePrefixes[minPrefixMode], chname)
 	}
 	if channel.flags.HasMode(modes.OpModerated) {
 		channel.stateMutex.RLock()
 		cuData, ok := channel.members[client]
@ -1389,10 +1354,9 @@ func (channel *Channel) SendSplitMessage(command string, minPrefixMode modes.Mod
 			Type:        histType,
 			Message:     message,
 			Nick:        details.nickMask,
-			Account: details.accountName,
+			AccountName: details.accountName,
 			Tags:        clientOnlyTags,
 			IsBot:       isBot,
 			Target:  channel.NameCasefolded(),
 		}, details.account)
 	}
 }
@ -1466,7 +1430,6 @@ func (channel *Channel) Quit(client *Client) {
 		client.server.channels.Cleanup(channel)
 	}
 	client.removeChannel(channel)
 	channel.Broadcast("KICK", client.NickCasefolded())
 }
 func (channel *Channel) Kick(client *Client, target *Client, comment string, rb *ResponseBuffer, hasPrivs bool) {
@ -1481,7 +1444,7 @@ func (channel *Channel) Kick(client *Client, target *Client, comment string, rb
 		return
 	}
-	comment = ircmsg.TruncateUTF8Safe(comment, channel.server.Config().Limits.KickLen)
+	comment = ircutils.TruncateUTF8Safe(comment, channel.server.Config().Limits.KickLen)
 	message := utils.MakeMessage(comment)
 	details := client.Details()
@ -1501,10 +1464,9 @@ func (channel *Channel) Kick(client *Client, target *Client, comment string, rb
 	histItem := history.Item{
 		Type:        history.Kick,
 		Nick:        details.nickMask,
-		Account: details.account,
+		AccountName: details.accountName,
 		Message:     message,
 		IsBot:       isBot,
 		Target:  channel.NameCasefolded(),
 	}
 	histItem.Params[0] = targetNick
 	channel.AddHistoryItem(histItem, details.account)
@ -1531,7 +1493,7 @@ func (channel *Channel) Purge(source string) {
 	now := time.Now().UTC()
 	for _, member := range members {
 		tnick := member.Nick()
-		msgid := utils.GenerateMessageIdStr()
+		msgid := utils.GenerateSecretToken()
 		for _, session := range member.Sessions() {
 			session.sendFromClientInternal(false, now, msgid, source, "*", false, nil, "KICK", chname, tnick, member.t("This channel has been purged by the server administrators and cannot be used"))
 		}
@ -1581,8 +1543,6 @@ func (channel *Channel) Invite(invitee *Client, inviter *Client, rb *ResponseBuf
 	item := history.Item{
 		Type:    history.Invite,
 		Message: message,
 		Account: inviter.Account(),
 		Target:  invitee.Account(),
 	}
 	for _, member := range channel.Members() {
@ -1646,26 +1606,6 @@ func (channel *Channel) auditoriumFriends(client *Client) (friends []*Client) {
 	return
 }
 // returns whether the client is visible to unprivileged users in the channel
 // (i.e., respecting auditorium mode). note that this assumes that the client
 // is a member; if the client is not, it may return true anyway
 func (channel *Channel) memberIsVisible(client *Client) bool {
 	// fast path, we assume they're a member so if this isn't an auditorium,
 	// they're visible:
 	if !channel.flags.HasMode(modes.Auditorium) {
 		return true
 	}
 	channel.stateMutex.RLock()
 	defer channel.stateMutex.RUnlock()
 	clientData, found := channel.members[client]
 	if !found {
 		return false
 	}
 	return clientData.modes.HighestChannelUserMode() != modes.Mode(0)
 }
 // data for RPL_LIST
 func (channel *Channel) listData() (memberCount int, name, topic string) {
 	channel.stateMutex.RLock()
--- a/irc/chanserv.go
+++ b/irc/chanserv.go
@ -6,7 +6,6 @@ package irc
 import (
 	"fmt"
 	"regexp"
 	"slices"
 	"sort"
 	"strings"
 	"time"
@ -219,7 +218,7 @@ func csAmodeHandler(service *ircService, server *Server, client *Client, command
 	// check for anything valid as a channel mode change that is not valid
 	// as an AMODE change
 	for _, modeChange := range modeChanges {
-		if !slices.Contains(modes.ChannelUserModes, modeChange.Mode) {
+		if !utils.SliceContains(modes.ChannelUserModes, modeChange.Mode) {
 			invalid = true
 		}
 	}
@ -753,7 +752,6 @@ func csListHandler(service *ircService, server *Server, client *Client, command
 }
 func csInfoHandler(service *ircService, server *Server, client *Client, command string, params []string, rb *ResponseBuffer) {
 	if len(params) == 0 {
 		// #765
 		listRegisteredChannels(service, client.Account(), rb)
@ -766,41 +764,37 @@ func csInfoHandler(service *ircService, server *Server, client *Client, command
 		return
 	}
 	// purge status
 	if client.HasRoleCapabs("chanreg") {
 		purgeRecord, err := server.channels.LoadPurgeRecord(chname)
 		if err == nil {
 			service.Notice(rb, fmt.Sprintf(client.t("Channel %s was purged by the server operators and cannot be used"), chname))
 			service.Notice(rb, fmt.Sprintf(client.t("Purged by operator: %s"), purgeRecord.Oper))
 			service.Notice(rb, fmt.Sprintf(client.t("Purged at: %s"), purgeRecord.PurgedAt.Format(time.RFC1123)))
 			if purgeRecord.Reason != "" {
 				service.Notice(rb, fmt.Sprintf(client.t("Purge reason: %s"), purgeRecord.Reason))
 			}
 		}
 	} else {
 		if server.channels.IsPurged(chname) {
 			service.Notice(rb, fmt.Sprintf(client.t("Channel %s was purged by the server operators and cannot be used"), chname))
 		}
 	}
 	var chinfo RegisteredChannel
 	channel := server.channels.Get(params[0])
 	if channel != nil {
 		chinfo = channel.exportSummary()
 	}
 	tags := map[string]string{
 		"target": chinfo.Name,
 	}
 	// purge status
 	if client.HasRoleCapabs("chanreg") {
 		purgeRecord, err := server.channels.LoadPurgeRecord(chname)
 		if err == nil {
 			service.TaggedNotice(rb, fmt.Sprintf(client.t("Channel %s was purged by the server operators and cannot be used"), chname), tags)
 			service.TaggedNotice(rb, fmt.Sprintf(client.t("Purged by operator: %s"), purgeRecord.Oper), tags)
 			service.TaggedNotice(rb, fmt.Sprintf(client.t("Purged at: %s"), purgeRecord.PurgedAt.Format(time.RFC1123)), tags)
 			if purgeRecord.Reason != "" {
 				service.TaggedNotice(rb, fmt.Sprintf(client.t("Purge reason: %s"), purgeRecord.Reason), tags)
 			}
 		}
 	} else {
 		if server.channels.IsPurged(chname) {
 			service.TaggedNotice(rb, fmt.Sprintf(client.t("Channel %s was purged by the server operators and cannot be used"), chname), tags)
 		}
 	}
 	// channel exists but is unregistered, or doesn't exist:
 	if chinfo.Founder == "" {
-		service.TaggedNotice(rb, fmt.Sprintf(client.t("Channel %s is not registered"), chname), tags)
+		service.Notice(rb, fmt.Sprintf(client.t("Channel %s is not registered"), chname))
 		return
 	}
-	service.TaggedNotice(rb, fmt.Sprintf(client.t("Channel %s is registered"), chinfo.Name), tags)
+	service.Notice(rb, fmt.Sprintf(client.t("Channel %s is registered"), chinfo.Name))
-	service.TaggedNotice(rb, fmt.Sprintf(client.t("Founder: %s"), chinfo.Founder), tags)
+	service.Notice(rb, fmt.Sprintf(client.t("Founder: %s"), chinfo.Founder))
-	service.TaggedNotice(rb, fmt.Sprintf(client.t("Registered at: %s"), chinfo.RegisteredAt.Format(time.RFC1123)), tags)
+	service.Notice(rb, fmt.Sprintf(client.t("Registered at: %s"), chinfo.RegisteredAt.Format(time.RFC1123)))
 }
 func displayChannelSetting(service *ircService, settingName string, settings ChannelSettings, client *Client, rb *ResponseBuffer) {
--- a/irc/client.go
+++ b/irc/client.go
@ -8,7 +8,6 @@ package irc
 import (
 	"crypto/x509"
 	"fmt"
 	"maps"
 	"net"
 	"runtime/debug"
 	"strconv"
@ -21,7 +20,6 @@ import (
 	"github.com/ergochat/irc-go/ircfmt"
 	"github.com/ergochat/irc-go/ircmsg"
 	"github.com/ergochat/irc-go/ircreader"
 	"github.com/ergochat/irc-go/ircutils"
 	"github.com/xdg-go/scram"
 	"github.com/ergochat/ergo/irc/caps"
@ -29,14 +27,13 @@ import (
 	"github.com/ergochat/ergo/irc/flatip"
 	"github.com/ergochat/ergo/irc/history"
 	"github.com/ergochat/ergo/irc/modes"
 	"github.com/ergochat/ergo/irc/oauth2"
 	"github.com/ergochat/ergo/irc/sno"
 	"github.com/ergochat/ergo/irc/utils"
 )
 const (
-	// Set to 4096 because CEF doesn't care about compatibility
+	// maximum IRC line length, not including tags
-	DefaultMaxLineLen = 4096
+	DefaultMaxLineLen = 512
 	// IdentTimeout is how long before our ident (username) check times out.
 	IdentTimeout         = time.Second + 500*time.Millisecond
@ -121,20 +118,12 @@ type Client struct {
 type saslStatus struct {
 	mechanism string
-	value     ircutils.SASLBuffer
+	value     string
 	scramConv *scram.ServerConversation
 	oauthConv *oauth2.OAuthBearerServer
 }
 func (s *saslStatus) Initialize() {
 	s.value.Initialize(saslMaxResponseLength)
 }
 func (s *saslStatus) Clear() {
-	s.mechanism = ""
+	*s = saslStatus{}
 	s.value.Clear()
 	s.scramConv = nil
 	s.oauthConv = nil
 }
 // what stage the client is at w.r.t. the PASS command:
@ -165,7 +154,6 @@ type Session struct {
 	realIP      net.IP
 	proxiedIP   net.IP
 	rawHostname string
 	hostnameFinalized bool
 	isTor       bool
 	hideSTS     bool
@ -179,8 +167,6 @@ type Session struct {
 	batchCounter atomic.Uint32
 	isupportSentPrereg bool
 	quitMessage string
 	awayMessage string
@ -375,7 +361,6 @@ func (server *Server) RunClient(conn IRCConn) {
 		isTor:      wConn.Tor,
 		hideSTS:    wConn.Tor || wConn.HideSTS,
 	}
 	session.sasl.Initialize()
 	client.sessions = []*Session{session}
 	session.resetFakelag()
@ -491,21 +476,12 @@ func (client *Client) resizeHistory(config *Config) {
 	}
 }
-// once we have the final IP address (from the connection itself or from proxy data),
+// resolve an IP to an IRC-ready hostname, using reverse DNS, forward-confirming if necessary,
-// compute the various possibilities for the hostname:
+// and sending appropriate notices to the client
-// * In the default/recommended configuration, via the cloak algorithm
+func (client *Client) lookupHostname(session *Session, overwrite bool) {
 // * If hostname lookup is enabled, via (forward-confirmed) reverse DNS
 // * If WEBIRC was used, possibly via the hostname passed on the WEBIRC line
 func (client *Client) finalizeHostname(session *Session) {
 	// only allow this once, since registration can fail (e.g. if the nickname is in use)
 	if session.hostnameFinalized {
 		return
 	}
 	session.hostnameFinalized = true
 	if session.isTor {
 		return
-	}
+	} // else: even if cloaking is enabled, look up the real hostname to show to operators
 	config := client.server.Config()
 	ip := session.realIP
@ -513,8 +489,6 @@ func (client *Client) finalizeHostname(session *Session) {
 		ip = session.proxiedIP
 	}
 	// even if cloaking is enabled, we may want to look up the real hostname to show to operators:
 	if session.rawHostname == "" {
 	var hostname string
 	lookupSuccessful := false
 	if config.Server.lookupHostnames {
@ -528,12 +502,17 @@ func (client *Client) finalizeHostname(session *Session) {
 	} else {
 		hostname = utils.IPStringToHostname(ip.String())
 	}
 		session.rawHostname = hostname
 	}
-	// these will be discarded if this is actually a reattach:
+	session.rawHostname = hostname
-	client.rawHostname = session.rawHostname
+	cloakedHostname := config.Server.Cloaks.ComputeCloak(ip)
-	client.cloakedHostname = config.Server.Cloaks.ComputeCloak(ip)
+	client.stateMutex.Lock()
 	defer client.stateMutex.Unlock()
 	// update the hostname if this is a new connection, but not if it's a reattach
 	if overwrite || client.rawHostname == "" {
 		client.rawHostname = hostname
 		client.cloakedHostname = cloakedHostname
 		client.updateNickMaskNoMutex()
 	}
 }
 func (client *Client) doIdentLookup(conn net.Conn) {
@ -651,17 +630,6 @@ func (client *Client) run(session *Session) {
 	firstLine := !isReattach
 	correspondents, _ := client.server.historyDB.GetPMs(client.Account())
 	// For safety, let's keep this within the 4096 character barrier
 	var lineBuilder utils.TokenLineBuilder
 	lineBuilder.Initialize(MaxLineLen, ",")
 	for username, timestamp := range correspondents {
 		lineBuilder.Add(fmt.Sprintf("%s %d", client.server.getCurrentNick(username), timestamp))
 	}
 	for _, message := range lineBuilder.Lines() {
 		session.Send(nil, client.server.name, "PMS", message)
 	}
 	for {
 		var invalidUtf8 bool
 		line, err := session.socket.Read()
@ -875,14 +843,14 @@ func (session *Session) Ping() {
 	session.Send(nil, "", "PING", session.client.Nick())
 }
-func (client *Client) replayPrivmsgHistory(rb *ResponseBuffer, items []history.Item, target string, chathistoryCommand bool, identifier string, preposition string, limit int) {
+func (client *Client) replayPrivmsgHistory(rb *ResponseBuffer, items []history.Item, target string, chathistoryCommand bool) {
 	var batchID string
 	details := client.Details()
 	nick := details.nick
 	if target == "" {
 		target = nick
 	}
-	batchID = rb.StartNestedBatch("chathistory", target, identifier, preposition, strconv.Itoa(limit))
+	batchID = rb.StartNestedHistoryBatch(target)
 	isSelfMessage := func(item *history.Item) bool {
 		// XXX: Params[0] is the message target. if the source of this message is an in-memory
@ -903,7 +871,7 @@ func (client *Client) replayPrivmsgHistory(rb *ResponseBuffer, items []history.I
 				continue
 			}
 			if hasEventPlayback {
-				rb.AddFromClient(item.Message.Time, item.Message.Msgid, item.Nick, item.Account, item.IsBot, nil, "INVITE", nick, item.Message.Message)
+				rb.AddFromClient(item.Message.Time, item.Message.Msgid, item.Nick, item.AccountName, item.IsBot, nil, "INVITE", nick, item.Message.Message)
 			} else {
 				rb.AddFromClient(item.Message.Time, history.HistservMungeMsgid(item.Message.Msgid), histservService.prefix, "*", false, nil, "PRIVMSG", fmt.Sprintf(client.t("%[1]s invited you to channel %[2]s"), NUHToNick(item.Nick), item.Message.Message))
 			}
@ -931,11 +899,11 @@ func (client *Client) replayPrivmsgHistory(rb *ResponseBuffer, items []history.I
 			tags = item.Tags
 		}
 		if !isSelfMessage(&item) {
-			rb.AddSplitMessageFromClientWithReactions(item.Nick, item.Account, item.IsBot, tags, command, nick, item.Message, item.Reactions)
+			rb.AddSplitMessageFromClient(item.Nick, item.AccountName, item.IsBot, tags, command, nick, item.Message)
 		} else {
 			// this message was sent *from* the client to another nick; the target is item.Params[0]
 			// substitute client's current nickmask in case client changed nick
-			rb.AddSplitMessageFromClientWithReactions(details.nickMask, item.Account, item.IsBot, tags, command, item.Params[0], item.Message, item.Reactions)
+			rb.AddSplitMessageFromClient(details.nickMask, item.AccountName, item.IsBot, tags, command, item.Params[0], item.Message)
 		}
 	}
@ -1317,10 +1285,10 @@ func (client *Client) destroy(session *Session) {
 	}
 	var quitItem history.Item
-	var quitHistoryChannels []*Channel
+	var channels []*Channel
 	// use a defer here to avoid writing to mysql while holding the destroy semaphore:
 	defer func() {
-		for _, channel := range quitHistoryChannels {
+		for _, channel := range channels {
 			channel.AddHistoryItem(quitItem, details.account)
 		}
 	}()
@ -1342,11 +1310,8 @@ func (client *Client) destroy(session *Session) {
 	// clean up channels
 	// (note that if this is a reattach, client has no channels and therefore no friends)
 	friends := make(ClientSet)
-	channels := client.Channels()
+	channels = client.Channels()
 	for _, channel := range channels {
 		if channel.memberIsVisible(client) {
 			quitHistoryChannels = append(quitHistoryChannels, channel)
 		}
 		for _, member := range channel.auditoriumFriends(client) {
 			friends.Add(member)
 		}
@ -1367,7 +1332,7 @@ func (client *Client) destroy(session *Session) {
 	quitItem = history.Item{
 		Type:        history.Quit,
 		Nick:        details.nickMask,
-		Account: details.accountName,
+		AccountName: details.accountName,
 		Message:     splitQuitMessage,
 		IsBot:       isBot,
 	}
@ -1449,10 +1414,6 @@ func composeMultilineBatch(batchID, fromNickMask, fromAccount string, isBot bool
 	for _, msg := range message.Split {
 		message := ircmsg.MakeMessage(nil, fromNickMask, command, target, msg.Message)
 		message.SetTag("batch", batchID)
 		for k, v := range msg.Tags {
 			message.SetTag(k, v)
 		}
 		if msg.Concat {
 			message.SetTag(caps.MultilineConcatTag, "")
 		}
@ -1464,27 +1425,27 @@ func composeMultilineBatch(batchID, fromNickMask, fromAccount string, isBot bool
 }
 var (
-	// in practice, many clients require that the final parameter be a trailing
+	// these are all the output commands that MUST have their last param be a trailing.
-	// (prefixed with `:`) even when this is not syntactically necessary.
+	// this is needed because dumb clients like to treat trailing params separately from the
-	// by default, force the following commands to use a trailing:
+	// other params in messages.
-	commandsThatMustUseTrailing = utils.SetLiteral(
+	commandsThatMustUseTrailing = map[string]bool{
-		"PRIVMSG",
+		"PRIVMSG": true,
-		"NOTICE",
+		"NOTICE":  true,
-		RPL_WHOISCHANNELS,
+
-		RPL_USERHOST,
+		RPL_WHOISCHANNELS: true,
 		RPL_USERHOST:      true,
 		// mirc's handling of RPL_NAMREPLY is broken:
 		// https://forums.mirc.com/ubbthreads.php/topics/266939/re-nick-list
-		RPL_NAMREPLY,
+		RPL_NAMREPLY: true,
-	)
+	}
 )
 func forceTrailing(config *Config, command string) bool {
 	return config.Server.Compatibility.forceTrailing && commandsThatMustUseTrailing.Has(command)
 }
 // SendRawMessage sends a raw message to the client.
 func (session *Session) SendRawMessage(message ircmsg.Message, blocking bool) error {
-	if forceTrailing(session.client.server.Config(), message.Command) {
+	// use dumb hack to force the last param to be a trailing param if required
 	config := session.client.server.Config()
 	if config.Server.Compatibility.forceTrailing && commandsThatMustUseTrailing[message.Command] {
 		message.ForceTrailing()
 	}
@ -1690,7 +1651,7 @@ func (client *Client) addHistoryItem(target *Client, item history.Item, details,
 	}
 	item.Nick = details.nickMask
-	item.Account = details.account
+	item.AccountName = details.accountName
 	targetedItem := item
 	targetedItem.Params[0] = tDetails.nick
@ -1698,15 +1659,15 @@ func (client *Client) addHistoryItem(target *Client, item history.Item, details,
 	tStatus, _ := target.historyStatus(config)
 	// add to ephemeral history
 	if cStatus == HistoryEphemeral {
-		targetedItem.Target = tDetails.account
+		targetedItem.CfCorrespondent = tDetails.nickCasefolded
 		client.history.Add(targetedItem)
 	}
 	if tStatus == HistoryEphemeral && client != target {
-		item.Target = target.Account()
+		item.CfCorrespondent = details.nickCasefolded
 		target.history.Add(item)
 	}
 	if cStatus == HistoryPersistent || tStatus == HistoryPersistent {
-		targetedItem.Target = target.account
+		targetedItem.CfCorrespondent = ""
 		client.server.historyDB.AddDirectMessage(details.nickCasefolded, details.account, tDetails.nickCasefolded, tDetails.account, targetedItem)
 	}
 	return nil
@ -1782,7 +1743,7 @@ func (client *Client) handleRegisterTimeout() {
 func (client *Client) copyLastSeen() (result map[string]time.Time) {
 	client.stateMutex.RLock()
 	defer client.stateMutex.RUnlock()
-	return maps.Clone(client.lastSeen)
+	return utils.CopyMap(client.lastSeen)
 }
 // these are bit flags indicating what part of the client status is "dirty"
@ -1811,8 +1772,6 @@ func (client *Client) wakeWriter() {
 }
 func (client *Client) writeLoop() {
 	defer client.server.HandlePanic()
 	for {
 		client.performWrite(0)
 		client.writebackLock.Unlock()
@ -1843,11 +1802,7 @@ func (client *Client) performWrite(additionalDirtyBits uint) {
 		channels := client.Channels()
 		channelToModes := make(map[string]alwaysOnChannelStatus, len(channels))
 		for _, channel := range channels {
-			ok, chname, status := channel.alwaysOnStatus(client)
+			chname, status := channel.alwaysOnStatus(client)
 			if !ok {
 				client.server.logger.Error("internal", "client and channel membership out of sync", chname, client.Nick())
 				continue
 			}
 			channelToModes[chname] = status
 		}
 		client.server.accounts.saveChannels(account, channelToModes)
--- a/irc/client_lookup_set.go
+++ b/irc/client_lookup_set.go
@ -116,8 +116,6 @@ func (clients *ClientManager) SetNick(client *Client, session *Session, newNick
 		useAccountName = alwaysOn || config.Accounts.NickReservation.ForceNickEqualsAccount
 	}
 	nickIsReserved := false
 	if useAccountName {
 		if registered && newNick != accountName {
 			return "", errNickAccountMismatch, false
@ -169,9 +167,7 @@ func (clients *ClientManager) SetNick(client *Client, session *Session, newNick
 		reservedAccount, method := client.server.accounts.EnforcementStatus(newCfNick, newSkeleton)
 		if method == NickEnforcementStrict && reservedAccount != "" && reservedAccount != account {
-			// see #2135: we want to enter the critical section, see if the nick is actually in use,
+			return "", errNicknameReserved, false
 			// and return errNicknameInUse in that case
 			nickIsReserved = true
 		}
 	}
@ -199,6 +195,15 @@ func (clients *ClientManager) SetNick(client *Client, session *Session, newNick
 			dryRun || session == nil {
 			return "", errNicknameInUse, false
 		}
 		// check TLS modes
 		if client.HasMode(modes.TLS) != currentClient.HasMode(modes.TLS) {
 			if useAccountName {
 				// #955: this is fatal because they can't fix it by trying a different nick
 				return "", errInsecureReattach, false
 			} else {
 				return "", errNicknameInUse, false
 			}
 		}
 		reattachSuccessful, numSessions, lastSeen, wasAway, nowAway := currentClient.AddSession(session)
 		if !reattachSuccessful {
 			return "", errNicknameInUse, false
@ -223,9 +228,6 @@ func (clients *ClientManager) SetNick(client *Client, session *Session, newNick
 	if skeletonHolder != nil && skeletonHolder != client {
 		return "", errNicknameInUse, false
 	}
 	if nickIsReserved {
 		return "", errNicknameReserved, false
 	}
 	if dryRun {
 		return "", nil, false
--- a/irc/commands.go
+++ b/irc/commands.go
@ -152,10 +152,6 @@ func init() {
 			handler:   isonHandler,
 			minParams: 1,
 		},
 		"ISUPPORT": {
 			handler:      isupportHandler,
 			usablePreReg: true,
 		},
 		"JOIN": {
 			handler:   joinHandler,
 			minParams: 1,
@ -305,10 +301,6 @@ func init() {
 			usablePreReg: true,
 			minParams:    0,
 		},
 		"REDACT": {
 			handler:   redactHandler,
 			minParams: 2,
 		},
 		"REHASH": {
 			handler:   rehashHandler,
 			minParams: 0,
@ -383,11 +375,6 @@ func init() {
 			handler:   zncHandler,
 			minParams: 1,
 		},
 		// CEF custom commands
 		"REACT": {
 			handler:   reactHandler,
 			minParams: 2,
 		},
 	}
 	initializeServices()
--- a/irc/config.go
+++ b/irc/config.go
@ -38,7 +38,6 @@ import (
 	"github.com/ergochat/ergo/irc/logger"
 	"github.com/ergochat/ergo/irc/modes"
 	"github.com/ergochat/ergo/irc/mysql"
 	"github.com/ergochat/ergo/irc/oauth2"
 	"github.com/ergochat/ergo/irc/passwd"
 	"github.com/ergochat/ergo/irc/utils"
 )
@ -333,8 +332,6 @@ type AccountConfig struct {
 	Bouncer     *MulticlientConfig // # handle old name for 'multiclient'
 	VHosts      VHostConfig
 	AuthScript  AuthScriptConfig `yaml:"auth-script"`
 	OAuth2      oauth2.OAuth2BearerConfig `yaml:"oauth2"`
 	JWTAuth     jwt.JWTAuthConfig         `yaml:"jwt-auth"`
 }
 type ScriptConfig struct {
@ -453,10 +450,6 @@ func (cm *Casemapping) UnmarshalYAML(unmarshal func(interface{}) error) (err err
 		result = CasemappingPRECIS
 	case "permissive", "fun":
 		result = CasemappingPermissive
 	case "rfc1459":
 		result = CasemappingRFC1459
 	case "rfc1459-strict":
 		result = CasemappingRFC1459Strict
 	default:
 		return fmt.Errorf("invalid casemapping value: %s", orig)
 	}
@ -491,7 +484,6 @@ type Limits struct {
 	ChanListModes        int `yaml:"chan-list-modes"`
 	ChannelLen           int `yaml:"channellen"`
 	IdentLen             int `yaml:"identlen"`
 	RealnameLen          int `yaml:"realnamelen"`
 	KickLen              int `yaml:"kicklen"`
 	MonitorEntries       int `yaml:"monitor-entries"`
 	NickLen              int `yaml:"nicklen"`
@ -652,7 +644,6 @@ type Config struct {
 		}
 		ListDelay        time.Duration    `yaml:"list-delay"`
 		InviteExpiration custime.Duration `yaml:"invite-expiration"`
 		AutoJoin         []string         `yaml:"auto-join"`
 	}
 	OperClasses map[string]*OperClassConfig `yaml:"oper-classes"`
@ -709,14 +700,6 @@ type Config struct {
 	}
 	Filename string
 	Cef struct {
 		Imagor struct {
 			Url    string
 			Secret string
 		}
 		Redis string
 	}
 }
 // OperClass defines an assembled operator class.
@ -1055,7 +1038,7 @@ func (ce *configPathError) Error() string {
 	return fmt.Sprintf("Couldn't apply config override `%s`: %s", ce.name, ce.desc)
 }
-func mungeFromEnvironment(config *Config, envPair string) (applied bool, name string, err *configPathError) {
+func mungeFromEnvironment(config *Config, envPair string) (applied bool, err *configPathError) {
 	equalIdx := strings.IndexByte(envPair, '=')
 	name, value := envPair[:equalIdx], envPair[equalIdx+1:]
 	if strings.HasPrefix(name, "ERGO__") {
@ -1063,7 +1046,7 @@ func mungeFromEnvironment(config *Config, envPair string) (applied bool, name st
 	} else if strings.HasPrefix(name, "ORAGONO__") {
 		name = strings.TrimPrefix(name, "ORAGONO__")
 	} else {
-		return false, "", nil
+		return false, nil
 	}
 	pathComponents := strings.Split(name, "__")
 	for i, pathComponent := range pathComponents {
@ -1074,10 +1057,10 @@ func mungeFromEnvironment(config *Config, envPair string) (applied bool, name st
 	t := v.Type()
 	for _, component := range pathComponents {
 		if component == "" {
-			return false, "", &configPathError{name, "invalid", nil}
+			return false, &configPathError{name, "invalid", nil}
 		}
 		if v.Kind() != reflect.Struct {
-			return false, "", &configPathError{name, "index into non-struct", nil}
+			return false, &configPathError{name, "index into non-struct", nil}
 		}
 		var nextField reflect.StructField
 		success := false
@ -1103,7 +1086,7 @@ func mungeFromEnvironment(config *Config, envPair string) (applied bool, name st
 			}
 		}
 		if !success {
-			return false, "", &configPathError{name, fmt.Sprintf("couldn't resolve path component: `%s`", component), nil}
+			return false, &configPathError{name, fmt.Sprintf("couldn't resolve path component: `%s`", component), nil}
 		}
 		v = v.FieldByName(nextField.Name)
 		// dereference pointer field if necessary, initialize new value if necessary
@ -1117,9 +1100,9 @@ func mungeFromEnvironment(config *Config, envPair string) (applied bool, name st
 	}
 	yamlErr := yaml.Unmarshal([]byte(value), v.Addr().Interface())
 	if yamlErr != nil {
-		return false, "", &configPathError{name, "couldn't deserialize YAML", yamlErr}
+		return false, &configPathError{name, "couldn't deserialize YAML", yamlErr}
 	}
-	return true, name, nil
+	return true, nil
 }
 // LoadConfig loads the given YAML configuration file.
@ -1131,7 +1114,7 @@ func LoadConfig(filename string) (config *Config, err error) {
 	if config.AllowEnvironmentOverrides {
 		for _, envPair := range os.Environ() {
-			applied, name, envErr := mungeFromEnvironment(config, envPair)
+			applied, envErr := mungeFromEnvironment(config, envPair)
 			if envErr != nil {
 				if envErr.fatalErr != nil {
 					return nil, envErr
@ -1139,7 +1122,7 @@ func LoadConfig(filename string) (config *Config, err error) {
 					log.Println(envErr.Error())
 				}
 			} else if applied {
-				log.Printf("applied environment override: %s\n", name)
+				log.Printf("applied environment override: %s\n", envPair)
 			}
 		}
 	}
@ -1406,34 +1389,15 @@ func LoadConfig(filename string) (config *Config, err error) {
 		config.Accounts.VHosts.validRegexp = defaultValidVhostRegex
 	}
-	if config.Accounts.AuthenticationEnabled {
+	saslCapValue := "PLAIN,EXTERNAL,SCRAM-SHA-256"
-		saslCapValues := []string{"PLAIN", "EXTERNAL"}
+	if !config.Accounts.AdvertiseSCRAM {
-		if config.Accounts.AdvertiseSCRAM {
+		saslCapValue = "PLAIN,EXTERNAL"
 			saslCapValues = append(saslCapValues, "SCRAM-SHA-256")
 	}
-		if config.Accounts.OAuth2.Enabled {
+	config.Server.capValues[caps.SASL] = saslCapValue
-			saslCapValues = append(saslCapValues, "OAUTHBEARER")
+	if !config.Accounts.AuthenticationEnabled {
 		}
 		if config.Accounts.OAuth2.Enabled || config.Accounts.JWTAuth.Enabled {
 			saslCapValues = append(saslCapValues, "IRCV3BEARER")
 		}
 		config.Server.capValues[caps.SASL] = strings.Join(saslCapValues, ",")
 	} else {
 		config.Server.supportedCaps.Disable(caps.SASL)
 	}
 	if err := config.Accounts.OAuth2.Postprocess(); err != nil {
 		return nil, err
 	}
 	if err := config.Accounts.JWTAuth.Postprocess(); err != nil {
 		return nil, err
 	}
 	if config.Accounts.OAuth2.Enabled && config.Accounts.OAuth2.AuthScript && !config.Accounts.AuthScript.Enabled {
 		return nil, fmt.Errorf("oauth2 is enabled with auth-script, but no auth-script is enabled")
 	}
 	if !config.Accounts.Registration.Enabled {
 		config.Server.supportedCaps.Disable(caps.AccountRegistration)
 	} else {
@ -1603,10 +1567,6 @@ func (config *Config) isRelaymsgIdentifier(nick string) bool {
 		return false
 	}
 	if strings.HasPrefix(nick, "#") {
 		return false // #2114
 	}
 	for _, char := range config.Server.Relaymsg.Separators {
 		if strings.ContainsRune(nick, char) {
 			return true
@ -1624,16 +1584,7 @@ func (config *Config) generateISupport() (err error) {
 	isupport.Initialize()
 	isupport.Add("AWAYLEN", strconv.Itoa(config.Limits.AwayLen))
 	isupport.Add("BOT", "B")
-	var casemappingToken string
+	isupport.Add("CASEMAPPING", "ascii")
 	switch config.Server.Casemapping {
 	default:
 		casemappingToken = "ascii" // this is published for ascii, precis, or permissive
 	case CasemappingRFC1459:
 		casemappingToken = "rfc1459"
 	case CasemappingRFC1459Strict:
 		casemappingToken = "rfc1459-strict"
 	}
 	isupport.Add("CASEMAPPING", casemappingToken)
 	isupport.Add("CHANLIMIT", fmt.Sprintf("%s:%d", chanTypes, config.Channels.MaxChannelsPerClient))
 	isupport.Add("CHANMODES", chanmodesToken)
 	if config.History.Enabled && config.History.ChathistoryMax > 0 {
@ -1664,7 +1615,6 @@ func (config *Config) generateISupport() (err error) {
 		isupport.Add("RPCHAN", "E")
 		isupport.Add("RPUSER", "E")
 	}
 	isupport.Add("SAFELIST", "")
 	isupport.Add("STATUSMSG", "~&@%+")
 	isupport.Add("TARGMAX", fmt.Sprintf("NAMES:1,LIST:1,KICK:,WHOIS:1,USERHOST:10,PRIVMSG:%s,TAGMSG:%s,NOTICE:%s,MONITOR:%d", maxTargetsString, maxTargetsString, maxTargetsString, config.Limits.MonitorEntries))
 	isupport.Add("TOPICLEN", strconv.Itoa(config.Limits.TopicLen))
--- a/irc/config_test.go
+++ b/irc/config_test.go
@ -28,7 +28,7 @@ func TestEnvironmentOverrides(t *testing.T) {
 		`ORAGONO__SERVER__IP_CLOAKING={"enabled": true, "enabled-for-always-on": true, "netname": "irc", "cidr-len-ipv4": 32, "cidr-len-ipv6": 64, "num-bits": 64}`,
 	}
 	for _, envPair := range env {
-		_, _, err := mungeFromEnvironment(&config, envPair)
+		_, err := mungeFromEnvironment(&config, envPair)
 		if err != nil {
 			t.Errorf("couldn't apply override `%s`: %v", envPair, err)
 		}
@ -93,7 +93,7 @@ func TestEnvironmentOverrideErrors(t *testing.T) {
 	}
 	for _, env := range invalidEnvs {
-		success, _, err := mungeFromEnvironment(&config, env)
+		success, err := mungeFromEnvironment(&config, env)
 		if err == nil || success {
 			t.Errorf("accepted invalid env override `%s`", env)
 		}
--- a/irc/constants.go
+++ b/irc/constants.go
@ -8,7 +8,7 @@ package irc
 const (
 	// maxLastArgLength is used to simply cap off the final argument when creating general messages where we need to select a limit.
 	// for instance, in MONITOR lists, RPL_ISUPPORT lists, etc.
-	maxLastArgLength = 1024
+	maxLastArgLength = 400
 	// maxTargets is the maximum number of targets for PRIVMSG and NOTICE.
 	maxTargets = 4
 )
--- a/irc/database.go
+++ b/irc/database.go
@ -150,7 +150,7 @@ func retrieveSchemaVersion(tx *buntdb.Tx) (version int, err error) {
 func performAutoUpgrade(currentVersion int, config *Config) (err error) {
 	path := config.Datastore.Path
 	log.Printf("attempting to auto-upgrade schema from version %d to %d\n", currentVersion, latestDbSchema)
-	timestamp := time.Now().UTC().Format("2006-01-02-15.04.05.000Z")
+	timestamp := time.Now().UTC().Format("2006-01-02-15:04:05.000Z")
 	backupPath := fmt.Sprintf("%s.v%d.%s.bak", path, currentVersion, timestamp)
 	log.Printf("making a backup of current database at %s\n", backupPath)
 	err = utils.CopyFile(path, backupPath)
--- a/irc/dline.go
+++ b/irc/dline.go
@ -275,6 +275,6 @@ func (dm *DLineManager) loadFromDatastore() {
 	})
 }
-func (server *Server) loadDLines() {
+func (s *Server) loadDLines() {
-	server.dlines = NewDLineManager(server)
+	s.dlines = NewDLineManager(s)
 }
--- a/irc/email/email.go
+++ b/irc/email/email.go
@ -4,13 +4,10 @@
 package email
 import (
 	"bufio"
 	"bytes"
 	"errors"
 	"fmt"
 	"io"
 	"net"
 	"os"
 	"regexp"
 	"strings"
 	"time"
@ -26,38 +23,6 @@ var (
 	ErrNoMXRecord         = errors.New("Couldn't resolve MX record")
 )
 type BlacklistSyntax uint
 const (
 	BlacklistSyntaxGlob BlacklistSyntax = iota
 	BlacklistSyntaxRegexp
 )
 func blacklistSyntaxFromString(status string) (BlacklistSyntax, error) {
 	switch strings.ToLower(status) {
 	case "glob", "":
 		return BlacklistSyntaxGlob, nil
 	case "re", "regex", "regexp":
 		return BlacklistSyntaxRegexp, nil
 	default:
 		return BlacklistSyntaxRegexp, fmt.Errorf("Unknown blacklist syntax type `%s`", status)
 	}
 }
 func (bs *BlacklistSyntax) UnmarshalYAML(unmarshal func(interface{}) error) error {
 	var orig string
 	var err error
 	if err = unmarshal(&orig); err != nil {
 		return err
 	}
 	if result, err := blacklistSyntaxFromString(orig); err == nil {
 		*bs = result
 		return nil
 	} else {
 		return err
 	}
 }
 type MTAConfig struct {
 	Server      string
 	Port        int
@ -75,15 +40,10 @@ type MailtoConfig struct {
 	Sender               string
 	HeloDomain           string `yaml:"helo-domain"`
 	RequireTLS           bool   `yaml:"require-tls"`
 	Protocol               string `yaml:"protocol"`
 	LocalAddress           string `yaml:"local-address"`
 	localAddress           net.Addr
 	VerifyMessageSubject string `yaml:"verify-message-subject"`
 	DKIM                 DKIMConfig
 	MTAReal              MTAConfig `yaml:"mta"`
-	AddressBlacklist       []string        `yaml:"address-blacklist"`
+	BlacklistRegexes     []string  `yaml:"blacklist-regexes"`
 	AddressBlacklistSyntax BlacklistSyntax `yaml:"address-blacklist-syntax"`
 	AddressBlacklistFile   string          `yaml:"address-blacklist-file"`
 	blacklistRegexes     []*regexp.Regexp
 	Timeout              time.Duration
 	PasswordReset        struct {
@ -93,44 +53,6 @@ type MailtoConfig struct {
 	} `yaml:"password-reset"`
 }
 func (config *MailtoConfig) compileBlacklistEntry(source string) (re *regexp.Regexp, err error) {
 	if config.AddressBlacklistSyntax == BlacklistSyntaxGlob {
 		return utils.CompileGlob(source, false)
 	} else {
 		return regexp.Compile(fmt.Sprintf("^%s$", source))
 	}
 }
 func (config *MailtoConfig) processBlacklistFile(filename string) (result []*regexp.Regexp, err error) {
 	f, err := os.Open(filename)
 	if err != nil {
 		return
 	}
 	defer f.Close()
 	reader := bufio.NewReader(f)
 	lineNo := 0
 	for {
 		line, err := reader.ReadString('\n')
 		lineNo++
 		line = strings.TrimSpace(line)
 		if line != "" && line[0] != '#' {
 			if compiled, compileErr := config.compileBlacklistEntry(line); compileErr == nil {
 				result = append(result, compiled)
 			} else {
 				return result, fmt.Errorf("Failed to compile line %d of blacklist-regex-file `%s`: %w", lineNo, line, compileErr)
 			}
 		}
 		switch err {
 		case io.EOF:
 			return result, nil
 		case nil:
 			continue
 		default:
 			return result, err
 		}
 	}
 }
 func (config *MailtoConfig) Postprocess(heloDomain string) (err error) {
 	if config.Sender == "" {
 		return errors.New("Invalid mailto sender address")
@ -146,40 +68,13 @@ func (config *MailtoConfig) Postprocess(heloDomain string) (err error) {
 		config.HeloDomain = heloDomain
 	}
-	if config.AddressBlacklistFile != "" {
+	for _, reg := range config.BlacklistRegexes {
-		config.blacklistRegexes, err = config.processBlacklistFile(config.AddressBlacklistFile)
+		compiled, err := regexp.Compile(fmt.Sprintf("^%s$", reg))
 		if err != nil {
 			return err
 		}
 	} else if len(config.AddressBlacklist) != 0 {
 		config.blacklistRegexes = make([]*regexp.Regexp, 0, len(config.AddressBlacklist))
 		for _, reg := range config.AddressBlacklist {
 			compiled, err := config.compileBlacklistEntry(reg)
 		if err != nil {
 			return err
 		}
 		config.blacklistRegexes = append(config.blacklistRegexes, compiled)
 	}
 	}
 	config.Protocol = strings.ToLower(config.Protocol)
 	if config.Protocol == "" {
 		config.Protocol = "tcp"
 	}
 	if !(config.Protocol == "tcp" || config.Protocol == "tcp4" || config.Protocol == "tcp6") {
 		return fmt.Errorf("Invalid protocol for email sending: `%s`", config.Protocol)
 	}
 	if config.LocalAddress != "" {
 		ipAddr := net.ParseIP(config.LocalAddress)
 		if ipAddr == nil {
 			return fmt.Errorf("Could not parse local-address for email sending: `%s`", config.LocalAddress)
 		}
 		config.localAddress = &net.TCPAddr{
 			IP:   ipAddr,
 			Port: 0,
 		}
 	}
 	if config.MTAConfig.Server != "" {
 		// smarthost, nothing more to validate
@ -215,9 +110,6 @@ func ComposeMail(config MailtoConfig, recipient, subject string) (message bytes.
 	dkimDomain := config.DKIM.Domain
 	if dkimDomain != "" {
 		fmt.Fprintf(&message, "Message-ID: <%s@%s>\r\n", utils.GenerateSecretKey(), dkimDomain)
 	} else {
 		// #2108: send Message-ID even if dkim is not enabled
 		fmt.Fprintf(&message, "Message-ID: <%s-%s>\r\n", utils.GenerateSecretKey(), config.Sender)
 	}
 	fmt.Fprintf(&message, "Date: %s\r\n", time.Now().UTC().Format(time.RFC1123Z))
 	fmt.Fprintf(&message, "Subject: %s\r\n", subject)
@ -226,9 +118,8 @@ func ComposeMail(config MailtoConfig, recipient, subject string) (message bytes.
 }
 func SendMail(config MailtoConfig, recipient string, msg []byte) (err error) {
 	recipientLower := strings.ToLower(recipient)
 	for _, reg := range config.blacklistRegexes {
-		if reg.MatchString(recipientLower) {
+		if reg.MatchString(recipient) {
 			return ErrBlacklistedAddress
 		}
 	}
@ -263,6 +154,6 @@ func SendMail(config MailtoConfig, recipient string, msg []byte) (err error) {
 	return smtp.SendMail(
 		addr, auth, config.HeloDomain, config.Sender, []string{recipient}, msg,
-		config.RequireTLS, implicitTLS, config.Protocol, config.localAddress, config.Timeout,
+		config.RequireTLS, implicitTLS, config.Timeout,
 	)
 }
--- a/irc/errors.go
+++ b/irc/errors.go
@ -76,7 +76,6 @@ var (
 	errValidEmailRequired             = errors.New("A valid email address is required for account registration")
 	errInvalidAccountRename           = errors.New("Account renames can only change the casefolding of the account name")
 	errNameReserved                   = errors.New(`Name reserved due to a prior registration`)
 	errInvalidBearerTokenType         = errors.New("invalid bearer token type")
 )
 // String Errors
--- a/irc/fakelag.go
+++ b/irc/fakelag.go
@ -4,8 +4,9 @@
 package irc
 import (
 	"maps"
 	"time"
 	"github.com/ergochat/ergo/irc/utils"
 )
 // fakelag is a system for artificially delaying commands when a user issues
@ -39,7 +40,7 @@ func (fl *Fakelag) Initialize(config FakelagConfig) {
 	fl.config = config
 	// XXX don't share mutable member CommandBudgets:
 	if config.CommandBudgets != nil {
-		fl.config.CommandBudgets = maps.Clone(config.CommandBudgets)
+		fl.config.CommandBudgets = utils.CopyMap(config.CommandBudgets)
 	}
 	fl.nowFunc = time.Now
 	fl.sleepFunc = time.Sleep
--- a/irc/flock/flock.go
+++ b/irc/flock/flock.go
@ -1,4 +1,4 @@
-//go:build !(plan9 || solaris)
+//go:build !plan9
 package flock
--- a/irc/flock/flock_unsupported.go
+++ b/irc/flock/flock_unsupported.go
@ -1,4 +1,4 @@
-//go:build plan9 || solaris
+//go:build plan9
 package flock
--- a/irc/gateways.go
+++ b/irc/gateways.go
@ -32,7 +32,6 @@ type webircConfig struct {
 	Fingerprint    *string // legacy name for certfp, #1050
 	Certfp         string
 	Hosts          []string
 	AcceptHostname bool `yaml:"accept-hostname"`
 	allowedNets    []net.IPNet
 }
--- a/irc/getters.go
+++ b/irc/getters.go
@ -5,7 +5,6 @@ package irc
 import (
 	"fmt"
 	"maps"
 	"net"
 	"time"
@ -19,6 +18,10 @@ func (server *Server) Config() (config *Config) {
 	return server.config.Load()
 }
 func (server *Server) ChannelRegistrationEnabled() bool {
 	return server.Config().Channels.Registration.Enabled
 }
 func (server *Server) GetOperator(name string) (oper *Oper) {
 	name, err := CasefoldName(name)
 	if err != nil {
@ -410,11 +413,7 @@ func (client *Client) SetMode(mode modes.Mode, on bool) bool {
 func (client *Client) SetRealname(realname string) {
 	client.stateMutex.Lock()
 	// TODO: make this configurable
 	client.realname = realname
 	if len(realname) > 128 {
 		client.realname = client.realname[:128]
 	}
 	alwaysOn := client.registered && client.alwaysOn
 	client.stateMutex.Unlock()
 	if alwaysOn {
@ -516,7 +515,7 @@ func (client *Client) GetReadMarker(cfname string) (result string) {
 func (client *Client) copyReadMarkers() (result map[string]time.Time) {
 	client.stateMutex.RLock()
 	defer client.stateMutex.RUnlock()
-	return maps.Clone(client.readMarkers)
+	return utils.CopyMap(client.readMarkers)
 }
 func (client *Client) SetReadMarker(cfname string, now time.Time) (result time.Time) {
@ -616,11 +615,9 @@ func (channel *Channel) Founder() string {
 func (channel *Channel) HighestUserMode(client *Client) (result modes.Mode) {
 	channel.stateMutex.RLock()
-	defer channel.stateMutex.RUnlock()
+	clientModes := channel.members[client].modes
-	if clientData, ok := channel.members[client]; ok {
+	channel.stateMutex.RUnlock()
-		return clientData.modes.HighestChannelUserMode()
+	return clientModes.HighestChannelUserMode()
 	}
 	return
 }
 func (channel *Channel) Settings() (result ChannelSettings) {
--- a/irc/handlers.go
+++ b/irc/handlers.go
@ -8,6 +8,7 @@ package irc
 import (
 	"bytes"
 	"encoding/base64"
 	"fmt"
 	"net"
 	"os"
@ -30,7 +31,6 @@ import (
 	"github.com/ergochat/ergo/irc/history"
 	"github.com/ergochat/ergo/irc/jwt"
 	"github.com/ergochat/ergo/irc/modes"
 	"github.com/ergochat/ergo/irc/oauth2"
 	"github.com/ergochat/ergo/irc/sno"
 	"github.com/ergochat/ergo/irc/utils"
 )
@ -90,6 +90,8 @@ func sendSuccessfulRegResponse(service *ircService, client *Client, rb *Response
 	details := client.Details()
 	if service != nil {
 		service.Notice(rb, client.t("Account created"))
 	} else {
 		rb.Add(nil, client.server.name, RPL_REG_SUCCESS, details.nick, details.accountName, client.t("Account created"))
 	}
 	client.server.snomasks.Send(sno.LocalAccounts, fmt.Sprintf(ircfmt.Unescape("Client $c[grey][$r%s$c[grey]] registered account $c[grey][$r%s$c[grey]] from IP %s"), details.nickMask, details.accountName, rb.session.IP().String()))
 	sendSuccessfulAccountAuth(service, client, rb, false)
@ -178,10 +180,6 @@ func acceptHandler(server *Server, client *Client, msg ircmsg.Message, rb *Respo
 	return false
 }
 const (
 	saslMaxResponseLength = 8192 // implementation-defined sanity check, long enough for bearer tokens
 )
 // AUTHENTICATE [<mechanism>|<data>|*]
 func authenticateHandler(server *Server, client *Client, msg ircmsg.Message, rb *ResponseBuffer) bool {
 	session := rb.session
@ -205,21 +203,18 @@ func authenticateHandler(server *Server, client *Client, msg ircmsg.Message, rb
 		return false
 	}
-	// start new sasl session: parameter is the authentication mechanism
+	// start new sasl session
 	if session.sasl.mechanism == "" {
-		mechanism := strings.ToUpper(msg.Params[0])
+		throttled, remainingTime := client.loginThrottle.Touch()
-		_, mechanismIsEnabled := EnabledSaslMechanisms[mechanism]
+		if throttled {
-
+			rb.Add(nil, server.name, ERR_SASLFAIL, client.Nick(),
-		// The spec says: "The AUTHENTICATE command MUST be used before registration
+				fmt.Sprintf(client.t("Please wait at least %v and try again"), remainingTime.Round(time.Millisecond)))
 		// is complete and with the sasl capability enabled." Enforcing this universally
 		// would simplify the implementation somewhat, but we've never enforced it before
 		// and I don't want to break working clients that use PLAIN or EXTERNAL
 		// and violate this MUST (e.g. by sending CAP END too early).
 		if client.registered && !(mechanism == "PLAIN" || mechanism == "EXTERNAL") {
 			rb.Add(nil, server.name, ERR_SASLFAIL, details.nick, client.t("SASL is only allowed before connection registration"))
 			return false
 		}
 		mechanism := strings.ToUpper(msg.Params[0])
 		_, mechanismIsEnabled := EnabledSaslMechanisms[mechanism]
 		if mechanismIsEnabled {
 			session.sasl.mechanism = mechanism
 			if !config.Server.Compatibility.SendUnprefixedSasl {
@ -237,28 +232,46 @@ func authenticateHandler(server *Server, client *Client, msg ircmsg.Message, rb
 		return false
 	}
-	// continue existing sasl session: parameter is a message chunk
+	// continue existing sasl session
-	done, value, err := session.sasl.value.Add(msg.Params[0])
+	rawData := msg.Params[0]
-	if err == nil {
+
-		if done {
+	// https://ircv3.net/specs/extensions/sasl-3.1:
-			// call actual handler
+	// "The response is encoded in Base64 (RFC 4648), then split to 400-byte chunks,
-			handler := EnabledSaslMechanisms[session.sasl.mechanism]
+	// and each chunk is sent as a separate AUTHENTICATE command."
-			return handler(server, client, session, value, rb)
+	saslMaxArgLength := 400
-		} else {
+	if len(rawData) > saslMaxArgLength {
 			return false // wait for continuation line
 		}
 	}
 	// else: error handling
 	switch err {
 	case ircutils.ErrSASLTooLong:
 		rb.Add(nil, server.name, ERR_SASLTOOLONG, details.nick, client.t("SASL message too long"))
 	case ircutils.ErrSASLLimitExceeded:
 		rb.Add(nil, server.name, ERR_SASLFAIL, details.nick, client.t("SASL authentication failed: Passphrase too long"))
 	default:
 		rb.Add(nil, server.name, ERR_SASLFAIL, details.nick, client.t("SASL authentication failed: Invalid b64 encoding"))
 	}
 		session.sasl.Clear()
 		return false
 	} else if len(rawData) == saslMaxArgLength {
 		// allow 4 'continuation' lines before rejecting for length
 		if len(session.sasl.value) >= saslMaxArgLength*4 {
 			rb.Add(nil, server.name, ERR_SASLFAIL, details.nick, client.t("SASL authentication failed: Passphrase too long"))
 			session.sasl.Clear()
 			return false
 		}
 		session.sasl.value += rawData
 		return false
 	}
 	if rawData != "+" {
 		session.sasl.value += rawData
 	}
 	var data []byte
 	var err error
 	if session.sasl.value != "+" {
 		data, err = base64.StdEncoding.DecodeString(session.sasl.value)
 		session.sasl.value = ""
 		if err != nil {
 			rb.Add(nil, server.name, ERR_SASLFAIL, details.nick, client.t("SASL authentication failed: Invalid b64 encoding"))
 			session.sasl.Clear()
 			return false
 		}
 	}
 	// call actual handler
 	handler := EnabledSaslMechanisms[session.sasl.mechanism]
 	return handler(server, client, session, data, rb)
 }
 // AUTHENTICATE PLAIN
@ -306,27 +319,6 @@ func authPlainHandler(server *Server, client *Client, session *Session, value []
 	return false
 }
 // AUTHENTICATE IRCV3BEARER
 func authIRCv3BearerHandler(server *Server, client *Client, session *Session, value []byte, rb *ResponseBuffer) bool {
 	defer session.sasl.Clear()
 	// <authzid> \x00 <type> \x00 <token>
 	splitValue := bytes.SplitN(value, []byte{'\000'}, 3)
 	if len(splitValue) != 3 {
 		rb.Add(nil, server.name, ERR_SASLFAIL, client.Nick(), client.t("SASL authentication failed: Invalid auth blob"))
 		return false
 	}
 	err := server.accounts.AuthenticateByBearerToken(client, string(splitValue[1]), string(splitValue[2]))
 	if err != nil {
 		sendAuthErrorResponse(client, rb, err)
 		return false
 	}
 	sendSuccessfulAccountAuth(nil, client, rb, true)
 	return false
 }
 func sendAuthErrorResponse(client *Client, rb *ResponseBuffer, err error) {
 	msg := authErrorToMessage(client.server, err)
 	rb.Add(nil, client.server.name, ERR_SASLFAIL, client.nick, fmt.Sprintf("%s: %s", client.t("SASL authentication failed"), client.t(msg)))
@ -341,7 +333,7 @@ func authErrorToMessage(server *Server, err error) (msg string) {
 	}
 	switch err {
-	case errAccountDoesNotExist, errAccountUnverified, errAccountInvalidCredentials, errAuthzidAuthcidMismatch, errNickAccountMismatch, errAccountSuspended, oauth2.ErrInvalidToken:
+	case errAccountDoesNotExist, errAccountUnverified, errAccountInvalidCredentials, errAuthzidAuthcidMismatch, errNickAccountMismatch, errAccountSuspended:
 		return err.Error()
 	default:
 		// don't expose arbitrary error messages to the user
@ -361,18 +353,28 @@ func authExternalHandler(server *Server, client *Client, session *Session, value
 	// EXTERNAL doesn't carry an authentication ID (this is determined from the
 	// certificate), but does carry an optional authorization ID.
-	authzid := string(value)
+	var authzid string
 	var deviceID string
 	var err error
-	// see #843: strip the device ID for the benefit of clients that don't
+	if len(value) != 0 {
-	// distinguish user/ident from account name
+		authzid, err = CasefoldName(string(value))
-	if strudelIndex := strings.IndexByte(authzid, '@'); strudelIndex != -1 {
+		if err != nil {
-		authzid, deviceID = authzid[:strudelIndex], authzid[strudelIndex+1:]
+			err = errAuthzidAuthcidMismatch
 		}
 	}
 	if err == nil {
 		// see #843: strip the device ID for the benefit of clients that don't
 		// distinguish user/ident from account name
 		if strudelIndex := strings.IndexByte(authzid, '@'); strudelIndex != -1 {
 			var deviceID string
 			authzid, deviceID = authzid[:strudelIndex], authzid[strudelIndex+1:]
 			if !client.registered {
 				rb.session.deviceID = deviceID
 			}
 		}
 		err = server.accounts.AuthenticateByCertificate(client, rb.session.certfp, rb.session.peerCerts, authzid)
 	}
 	if err != nil {
 		sendAuthErrorResponse(client, rb, err)
 		return false
@ -381,9 +383,6 @@ func authExternalHandler(server *Server, client *Client, session *Session, value
 	}
 	sendSuccessfulAccountAuth(nil, client, rb, true)
 	if !client.registered && deviceID != "" {
 		rb.session.deviceID = deviceID
 	}
 	return false
 }
@ -398,12 +397,6 @@ func authScramHandler(server *Server, client *Client, session *Session, value []
 	// first message? if so, initialize the SCRAM conversation
 	if session.sasl.scramConv == nil {
 		if throttled, remainingTime := client.checkLoginThrottle(); throttled {
 			rb.Add(nil, server.name, ERR_SASLFAIL, client.Nick(),
 				fmt.Sprintf(client.t("Please wait at least %v and try again"), remainingTime.Round(time.Millisecond)))
 			continueAuth = false
 			return false
 		}
 		session.sasl.scramConv = server.accounts.NewScramConversation()
 	}
@ -427,8 +420,9 @@ func authScramHandler(server *Server, client *Client, session *Session, value []
 			account, err := server.accounts.LoadAccount(authcid)
 			if err == nil {
 				server.accounts.Login(client, account)
-				// fixupNickEqualsAccount is not needed for unregistered clients
+				if fixupNickEqualsAccount(client, rb, server.Config(), "") {
 					sendSuccessfulAccountAuth(nil, client, rb, true)
 				}
 			} else {
 				server.logger.Error("internal", "SCRAM succeeded but couldn't load account", authcid, err.Error())
 				rb.Add(nil, server.name, ERR_SASLFAIL, client.nick, client.t("SASL authentication failed"))
@ -441,7 +435,7 @@ func authScramHandler(server *Server, client *Client, session *Session, value []
 	response, err := session.sasl.scramConv.Step(string(value))
 	if err == nil {
-		sendSASLChallenge(server, rb, []byte(response))
+		rb.Add(nil, server.name, "AUTHENTICATE", base64.StdEncoding.EncodeToString([]byte(response)))
 	} else {
 		continueAuth = false
 		rb.Add(nil, server.name, ERR_SASLFAIL, client.Nick(), err.Error())
@ -451,65 +445,13 @@ func authScramHandler(server *Server, client *Client, session *Session, value []
 	return false
 }
 // AUTHENTICATE OAUTHBEARER
 func authOauthBearerHandler(server *Server, client *Client, session *Session, value []byte, rb *ResponseBuffer) bool {
 	if !server.Config().Accounts.OAuth2.Enabled {
 		rb.Add(nil, server.name, ERR_SASLFAIL, client.Nick(), "SASL authentication failed: mechanism not enabled")
 		return false
 	}
 	if session.sasl.oauthConv == nil {
 		session.sasl.oauthConv = oauth2.NewOAuthBearerServer(
 			func(opts oauth2.OAuthBearerOptions) *oauth2.OAuthBearerError {
 				err := server.accounts.AuthenticateByOAuthBearer(client, opts)
 				switch err {
 				case nil:
 					return nil
 				case oauth2.ErrInvalidToken:
 					return &oauth2.OAuthBearerError{Status: "invalid_token", Schemes: "bearer"}
 				case errFeatureDisabled:
 					return &oauth2.OAuthBearerError{Status: "invalid_request", Schemes: "bearer"}
 				default:
 					// this is probably a misconfiguration or infrastructure error so we should log it
 					server.logger.Error("internal", "failed to validate OAUTHBEARER token", err.Error())
 					// tell the client it was their fault even though it probably wasn't:
 					return &oauth2.OAuthBearerError{Status: "invalid_request", Schemes: "bearer"}
 				}
 			},
 		)
 	}
 	challenge, done, err := session.sasl.oauthConv.Next(value)
 	if done {
 		if err == nil {
 			sendSuccessfulAccountAuth(nil, client, rb, true)
 		} else {
 			rb.Add(nil, server.name, ERR_SASLFAIL, client.Nick(), ircutils.SanitizeText(err.Error(), 350))
 		}
 		session.sasl.Clear()
 	} else {
 		// ignore `err`, we need to relay the challenge (which may contain a JSON-encoded error)
 		// to the client
 		sendSASLChallenge(server, rb, challenge)
 	}
 	return false
 }
 // helper to b64 a sasl response and chunk it into 400-byte lines
 // as per https://ircv3.net/specs/extensions/sasl-3.1
 func sendSASLChallenge(server *Server, rb *ResponseBuffer, challenge []byte) {
 	for _, chunk := range ircutils.EncodeSASLResponse(challenge) {
 		rb.Add(nil, server.name, "AUTHENTICATE", chunk)
 	}
 }
 // AWAY [<message>]
 func awayHandler(server *Server, client *Client, msg ircmsg.Message, rb *ResponseBuffer) bool {
 	// #1996: `AWAY :` is treated the same as `AWAY`
 	var awayMessage string
 	if len(msg.Params) > 0 {
 		awayMessage = msg.Params[0]
-		awayMessage = ircmsg.TruncateUTF8Safe(awayMessage, server.Config().Limits.AwayLen)
+		awayMessage = ircutils.TruncateUTF8Safe(awayMessage, server.Config().Limits.AwayLen)
 	}
 	wasAway, nowAway := rb.session.SetAway(awayMessage)
@ -570,16 +512,6 @@ func batchHandler(server *Server, client *Client, msg ircmsg.Message, rb *Respon
 			// XXX changing the label inside a handler is a bit dodgy, but it works here
 			// because there's no way we could have triggered a flush up to this point
 			rb.Label = batch.responseLabel
 			for _, msg := range batch.message.Split {
 				signatures := server.GenerateImagorSignatures(msg.Message)
 				if len(signatures) > 0 {
 					if msg.Tags == nil {
 						msg.Tags = make(map[string]string)
 					}
 					msg.Tags["signatures"] = signatures
 				}
 			}
 			dispatchMessageToTarget(client, batch.tags, histType, batch.command, batch.target, batch.message, rb)
 		}
 	}
@ -712,14 +644,6 @@ func chathistoryHandler(server *Server, client *Client, msg ircmsg.Message, rb *
 	var err error
 	var listTargets bool
 	var targets []history.TargetListing
 	var _, batchIdentifier = msg.GetTag("identifier")
 	var assuredPreposition = "error"
 	var limit int
 	if len(batchIdentifier) == 0 {
 		batchIdentifier = "UNIDENTIFIED"
 	}
 	defer func() {
 		// errors are sent either without a batch, or in a draft/labeled-response batch as usual
 		if err == utils.ErrInvalidParams {
@ -731,7 +655,7 @@ func chathistoryHandler(server *Server, client *Client, msg ircmsg.Message, rb *
 		} else {
 			// successful responses are sent as a chathistory or history batch
 			if listTargets {
-				batchID := rb.StartNestedBatch(caps.ChathistoryTargetsBatchType)
+				batchID := rb.StartNestedBatch("draft/chathistory-targets")
 				defer rb.EndNestedBatch(batchID)
 				for _, target := range targets {
 					name := server.UnfoldName(target.CfName)
@ -739,9 +663,9 @@ func chathistoryHandler(server *Server, client *Client, msg ircmsg.Message, rb *
 						target.Time.Format(IRCv3TimestampFormat))
 				}
 			} else if channel != nil {
-				channel.replayHistoryItems(rb, items, true, batchIdentifier, assuredPreposition, limit)
+				channel.replayHistoryItems(rb, items, true)
 			} else {
-				client.replayPrivmsgHistory(rb, items, target, true, batchIdentifier, assuredPreposition, limit)
+				client.replayPrivmsgHistory(rb, items, target, true)
 			}
 		}
 	}()
@ -794,6 +718,7 @@ func chathistoryHandler(server *Server, client *Client, msg ircmsg.Message, rb *
 	paramPos := 2
 	var start, end history.Selector
 	var limit int
 	switch preposition {
 	case "targets":
 		// use the same selector parsing as BETWEEN,
@ -848,7 +773,6 @@ func chathistoryHandler(server *Server, client *Client, msg ircmsg.Message, rb *
 		err = utils.ErrInvalidParams
 		return
 	}
 	assuredPreposition = preposition
 	if listTargets {
 		targets, err = client.listTargets(start, end, limit)
@ -873,6 +797,7 @@ func debugHandler(server *Server, client *Client, msg ircmsg.Message, rb *Respon
 	switch param {
 	case "GCSTATS":
 		stats := debug.GCStats{
 			Pause:          make([]time.Duration, 10),
 			PauseQuantiles: make([]time.Duration, 5),
 		}
 		debug.ReadGCStats(&stats)
@ -1145,12 +1070,6 @@ func extjwtHandler(server *Server, client *Client, msg ircmsg.Message, rb *Respo
 		}
 		claims["channel"] = channel.Name()
 		var channelModeStrings []string
 		for _, mode := range channel.flags.AllModes() {
 			channelModeStrings = append(channelModeStrings, mode.String())
 		}
 		claims["chanModes"] = channelModeStrings
 		claims["joined"] = 0
 		claims["cmodes"] = []string{}
 		if present, joinTimeSecs, cModes := channel.ClientStatus(client); present {
@ -1234,8 +1153,6 @@ Get an explanation of <argument>, or "index" for a list of help topics.`), rb)
 // HISTORY alice 15
 // HISTORY #darwin 1h
 func historyHandler(server *Server, client *Client, msg ircmsg.Message, rb *ResponseBuffer) bool {
 	rb.Notice(client.t("This command is currently disabled. Please use CHATHISTORY"))
 	/*
 	config := server.Config()
 	if !config.History.Enabled {
 		rb.Notice(client.t("This command has been disabled by the server administrators"))
@ -1252,16 +1169,13 @@ func historyHandler(server *Server, client *Client, msg ircmsg.Message, rb *Resp
 		return false
 	}
 		var _, batchIdentifier = msg.GetTag("identifier")
 	if len(items) != 0 {
 		if channel != nil {
-				channel.replayHistoryItems(rb, items, true, batchIdentifier)
+			channel.replayHistoryItems(rb, items, true)
 		} else {
-				client.replayPrivmsgHistory(rb, items, "", true, batchIdentifier)
+			client.replayPrivmsgHistory(rb, items, "", true)
 		}
 	}
 	*/
 	return false
 }
@ -1349,15 +1263,6 @@ func isonHandler(server *Server, client *Client, msg ircmsg.Message, rb *Respons
 	return false
 }
 // ISUPPORT
 func isupportHandler(server *Server, client *Client, msg ircmsg.Message, rb *ResponseBuffer) bool {
 	server.RplISupport(client, rb)
 	if !client.registered {
 		rb.session.isupportSentPrereg = true
 	}
 	return false
 }
 // JOIN <channel>{,<channel>} [<key>{,<key>}]
 func joinHandler(server *Server, client *Client, msg ircmsg.Message, rb *ResponseBuffer) bool {
 	// #1417: allow `JOIN 0` with a confirmation code
@ -1928,9 +1833,8 @@ func announceCmodeChanges(channel *Channel, applied modes.ModeChanges, source, a
 		channel.AddHistoryItem(history.Item{
 			Type:        history.Mode,
 			Nick:        source,
-			Account: accountName,
+			AccountName: accountName,
 			Message:     message,
 			Target:  channel.NameCasefolded(),
 			IsBot:       isBot,
 		}, account)
 	}
@ -2222,7 +2126,6 @@ func validateLineLen(msgType history.ItemType, source, target, payload string) (
 	default:
 		return true
 	}
 	limit -= len(target)
 	limit -= len(payload)
 	return limit >= 0
 }
@ -2243,50 +2146,39 @@ func validateSplitMessageLen(msgType history.ItemType, source, target string, me
 // helper to store a batched PRIVMSG in the session object
 func absorbBatchedMessage(server *Server, client *Client, msg ircmsg.Message, batchTag string, histType history.ItemType, rb *ResponseBuffer) {
-	var failParams []string
+	var errorCode, errorMessage string
 	defer func() {
-		if failParams != nil {
+		if errorCode != "" {
 			if histType != history.Notice {
-				params := make([]string, 1+len(failParams))
+				rb.Add(nil, server.name, "FAIL", "BATCH", errorCode, errorMessage)
 				params[0] = "BATCH"
 				copy(params[1:], failParams)
 				rb.Add(nil, server.name, "FAIL", params...)
 			}
 			rb.session.EndMultilineBatch("")
 		}
 	}()
 	if batchTag != rb.session.batch.label {
-		failParams = []string{"MULTILINE_INVALID", client.t("Incorrect batch tag sent")}
+		errorCode, errorMessage = "MULTILINE_INVALID", client.t("Incorrect batch tag sent")
 		return
 	} else if len(msg.Params) < 2 {
-		failParams = []string{"MULTILINE_INVALID", client.t("Invalid multiline batch")}
+		errorCode, errorMessage = "MULTILINE_INVALID", client.t("Invalid multiline batch")
 		return
 	}
 	rb.session.batch.command = msg.Command
 	isConcat, _ := msg.GetTag(caps.MultilineConcatTag)
 	if isConcat && len(msg.Params[1]) == 0 {
-		failParams = []string{"MULTILINE_INVALID", client.t("Cannot send a blank line with the multiline concat tag")}
+		errorCode, errorMessage = "MULTILINE_INVALID", client.t("Cannot send a blank line with the multiline concat tag")
 		return
 	}
 	if !isConcat && len(rb.session.batch.message.Split) != 0 {
 		rb.session.batch.lenBytes++ // bill for the newline
 	}
-	rb.session.batch.message.Append(msg.Params[1], isConcat, msg.ClientOnlyTags())
+	rb.session.batch.message.Append(msg.Params[1], isConcat)
 	rb.session.batch.lenBytes += len(msg.Params[1])
 	config := server.Config()
 	if config.Limits.Multiline.MaxBytes < rb.session.batch.lenBytes {
-		failParams = []string{
+		errorCode, errorMessage = "MULTILINE_MAX_BYTES", strconv.Itoa(config.Limits.Multiline.MaxBytes)
 			"MULTILINE_MAX_BYTES",
 			strconv.Itoa(config.Limits.Multiline.MaxBytes),
 			fmt.Sprintf(client.t("Multiline batch byte limit %d exceeded"), config.Limits.Multiline.MaxBytes),
 		}
 	} else if config.Limits.Multiline.MaxLines != 0 && config.Limits.Multiline.MaxLines < rb.session.batch.message.LenLines() {
-		failParams = []string{
+		errorCode, errorMessage = "MULTILINE_MAX_LINES", strconv.Itoa(config.Limits.Multiline.MaxLines)
 			"MULTILINE_MAX_LINES",
 			strconv.Itoa(config.Limits.Multiline.MaxLines),
 			fmt.Sprintf(client.t("Multiline batch line limit %d exceeded"), config.Limits.Multiline.MaxLines),
 		}
 	}
 }
@ -2350,53 +2242,11 @@ func messageHandler(server *Server, client *Client, msg ircmsg.Message, rb *Resp
 		// each target gets distinct msgids
 		splitMsg := utils.MakeMessage(message)
 		signatures := server.GenerateImagorSignaturesFromMessage(&msg)
 		if len(signatures) > 0 {
 			if clientOnlyTags == nil {
 				clientOnlyTags = make(map[string]string)
 			}
 			clientOnlyTags["signatures"] = signatures
 		}
 		dispatchMessageToTarget(client, clientOnlyTags, histType, msg.Command, targetString, splitMsg, rb)
 	}
 	return false
 }
 // Not really sure how to do this in Go
 var endChars = map[int32]bool{
 	' ': true,
 	'@': true,
 	':': true,
 	'!': true,
 	'?': true,
 }
 func detectMentions(message string) (mentions []string) {
 	buf := ""
 	mentions = []string{}
 	working := false
 	for _, char := range message {
 		if char == '@' {
 			working = true
 			continue
 		}
 		if !working {
 			continue
 		}
 		if _, stop := endChars[char]; stop {
 			working = false
 			mentions = append(mentions, buf)
 			buf = ""
 		} else {
 			buf += string(char)
 		}
 	}
 	if len(buf) != 0 {
 		mentions = append(mentions, buf)
 	}
 	return
 }
 func dispatchMessageToTarget(client *Client, tags map[string]string, histType history.ItemType, command, target string, message utils.SplitMessage, rb *ResponseBuffer) {
 	server := client.server
@ -2413,15 +2263,7 @@ func dispatchMessageToTarget(client *Client, tags map[string]string, histType hi
 			}
 			return
 		}
 		// This likely isn't that great for performance. Should figure out some way to deal with this at some point
 		mentions := detectMentions(message.Message)
 		channel.SendSplitMessage(command, lowestPrefix, tags, client, message, rb)
 		for _, mention := range mentions {
 			user := client.server.clients.Get(mention)
 			if user != nil {
 				user.RedisBroadcast("MENTION", channel.Name(), message.Msgid)
 			}
 		}
 	} else if target[0] == '$' && len(target) > 2 && client.Oper().HasRoleCapab("massmessage") {
 		details := client.Details()
 		matcher, err := utils.CompileGlob(target[2:], false)
@ -2444,7 +2286,6 @@ func dispatchMessageToTarget(client *Client, tags map[string]string, histType hi
 			}
 		}
 	} else {
 		// PMs
 		lowercaseTarget := strings.ToLower(target)
 		service, isService := ErgoServices[lowercaseTarget]
 		_, isZNC := zncHandlers[lowercaseTarget]
@ -2544,13 +2385,8 @@ func dispatchMessageToTarget(client *Client, tags map[string]string, histType hi
 			Type:    histType,
 			Message: message,
 			Tags:    tags,
 			Target:  user.Account(),
 			Account: client.Account(),
 		}
 		client.addHistoryItem(user, item, &details, &tDetails, config)
 		user.RedisBroadcast("MENTION", user.NickCasefolded(), message.Msgid)
 	}
 }
@ -2827,97 +2663,6 @@ fail:
 	return false
 }
 // REDACT <target> <targetmsgid> [:<reason>]
 func redactHandler(server *Server, client *Client, msg ircmsg.Message, rb *ResponseBuffer) bool {
 	target := msg.Params[0]
 	targetmsgid := msg.Params[1]
 	//clientOnlyTags := msg.ClientOnlyTags()
 	var reason string
 	if len(msg.Params) > 2 {
 		reason = msg.Params[2]
 	}
 	var members []*Client // members of a channel, or both parties of a PM
 	var canDelete CanDelete
 	msgid := utils.GenerateMessageIdStr()
 	time := time.Now().UTC().Round(0)
 	details := client.Details()
 	isBot := client.HasMode(modes.Bot)
 	if target[0] == '#' {
 		channel := server.channels.Get(target)
 		if channel == nil {
 			rb.Add(nil, server.name, ERR_NOSUCHCHANNEL, client.Nick(), utils.SafeErrorParam(target), client.t("No such channel"))
 			return false
 		}
 		members = channel.Members()
 		canDelete = deletionPolicy(server, client, target)
 	} else {
 		targetClient := server.clients.Get(target)
 		if targetClient == nil {
 			rb.Add(nil, server.name, ERR_NOSUCHNICK, client.Nick(), target, "No such nick")
 			return false
 		}
 		members = []*Client{client, targetClient}
 		canDelete = canDeleteSelf
 	}
 	if canDelete == canDeleteNone {
 		rb.Add(nil, server.name, "FAIL", "REDACT", "REDACT_FORBIDDEN", utils.SafeErrorParam(target), utils.SafeErrorParam(targetmsgid), client.t("You are not authorized to delete messages"))
 		return false
 	}
 	account := "*"
 	if canDelete == canDeleteSelf {
 		account = client.account
 		if account == "*" {
 			rb.Add(nil, server.name, "FAIL", "REDACT", "REDACT_FORBIDDEN", utils.SafeErrorParam(target), utils.SafeErrorParam(targetmsgid), client.t("You are not authorized to delete this message"))
 			return false
 		}
 	}
 	err := server.DeleteMessage(target, targetmsgid, account)
 	if err == errNoop {
 		rb.Add(nil, server.name, "FAIL", "REDACT", "UNKNOWN_MSGID", utils.SafeErrorParam(target), utils.SafeErrorParam(targetmsgid), client.t("This message does not exist or is too old"))
 		return false
 	} else if err != nil {
 		isOper := client.HasRoleCapabs("history")
 		if isOper {
 			rb.Add(nil, server.name, "FAIL", "REDACT", "REDACT_FORBIDDEN", utils.SafeErrorParam(target), utils.SafeErrorParam(targetmsgid), fmt.Sprintf(client.t("Error deleting message: %v"), err))
 		} else {
 			rb.Add(nil, server.name, "FAIL", "REDACT", "REDACT_FORBIDDEN", utils.SafeErrorParam(target), utils.SafeErrorParam(targetmsgid), client.t("Could not delete message"))
 		}
 		return false
 	}
 	if target[0] != '#' {
 		// If this is a PM, we just removed the message from the buffer of the other party;
 		// now we have to remove it from the buffer of the client who sent the REDACT command
 		err := server.DeleteMessage(client.Nick(), targetmsgid, account)
 		if err != nil {
 			client.server.logger.Error("internal", fmt.Sprintf("Private message %s is not deletable by %s from their own buffer's even though we just deleted it from %s's. This is a bug, please report it in details.", targetmsgid, client.Nick(), target), client.Nick())
 			isOper := client.HasRoleCapabs("history")
 			if isOper {
 				rb.Add(nil, server.name, "FAIL", "REDACT", "REDACT_FORBIDDEN", utils.SafeErrorParam(target), utils.SafeErrorParam(targetmsgid), fmt.Sprintf(client.t("Error deleting message: %v"), err))
 			} else {
 				rb.Add(nil, server.name, "FAIL", "REDACT", "REDACT_FORBIDDEN", utils.SafeErrorParam(target), utils.SafeErrorParam(targetmsgid), client.t("Error deleting message"))
 			}
 		}
 	}
 	for _, member := range members {
 		for _, session := range member.Sessions() {
 			if session.capabilities.Has(caps.MessageRedaction) {
 				session.sendFromClientInternal(false, time, msgid, details.nickMask, details.accountName, isBot, nil, "REDACT", target, targetmsgid, reason)
 			} else {
 				// If we wanted to send a fallback to clients which do not support
 				// draft/message-redaction, we would do it from here.
 			}
 		}
 	}
 	return false
 }
 func reportPersistenceStatus(client *Client, rb *ResponseBuffer, broadcast bool) {
 	settings := client.AccountSettings()
 	serverSetting := client.server.Config().Accounts.Multiclient.AlwaysOn
@ -2982,7 +2727,7 @@ func registerHandler(server *Server, client *Client, msg ircmsg.Message, rb *Res
 	case "*", accountName:
 		// ok
 	default:
-		rb.Add(nil, server.name, "FAIL", "REGISTER", "ACCOUNT_NAME_MUST_BE_NICK", utils.SafeErrorParam(msg.Params[0]), client.t("You may only register your nickname as your account name"))
+		rb.Add(nil, server.name, "FAIL", "REGISTER", "ACCOUNTNAME_MUST_BE_NICK", utils.SafeErrorParam(msg.Params[0]), client.t("You may only register your nickname as your account name"))
 		return
 	}
@ -3218,8 +2963,6 @@ func relaymsgHandler(server *Server, client *Client, msg ircmsg.Message, rb *Res
 		Type:    history.Privmsg,
 		Message: message,
 		Nick:    nuh,
 		Target:  channel.NameCasefolded(),
 		Account: "$RELAYMSG",
 	}, "")
 	// 3 possibilities for tags:
@ -3335,10 +3078,8 @@ func renameHandler(server *Server, client *Client, msg ircmsg.Message, rb *Respo
 					targetRb.Add(nil, targetPrefix, "JOIN", newName)
 				}
 				channel.SendTopic(mcl, targetRb, false)
 				if !targetRb.session.capabilities.Has(caps.NoImplicitNames) {
 				channel.Names(mcl, targetRb)
 			}
 			}
 			if mcl != client {
 				targetRb.Send(false)
 			}
@ -3502,10 +3243,6 @@ func userHandler(server *Server, client *Client, msg ircmsg.Message, rb *Respons
 		rb.Add(nil, server.name, ERR_NEEDMOREPARAMS, client.Nick(), "USER", client.t("Not enough parameters"))
 		return false
 	}
 	config := server.Config()
 	if config.Limits.RealnameLen > 0 && len(realname) > config.Limits.RealnameLen {
 		realname = ircmsg.TruncateUTF8Safe(realname, config.Limits.RealnameLen)
 	}
 	// #843: we accept either: `USER user:pass@clientid` or `USER user@clientid`
 	if strudelIndex := strings.IndexByte(username, '@'); strudelIndex != -1 {
@ -3640,9 +3377,8 @@ func webircHandler(server *Server, client *Client, msg ircmsg.Message, rb *Respo
 		}
 	}
 	config := server.Config()
 	givenPassword := []byte(msg.Params[0])
-	for _, info := range config.Server.WebIRC {
+	for _, info := range server.Config().Server.WebIRC {
 		if utils.IPInNets(client.realIP, info.allowedNets) {
 			// confirm password and/or fingerprint
 			if 0 < len(info.Password) && bcrypt.CompareHashAndPassword(info.Password, givenPassword) != nil {
@ -3652,23 +3388,11 @@ func webircHandler(server *Server, client *Client, msg ircmsg.Message, rb *Respo
 				continue
 			}
-			candidateIP := msg.Params[3]
+			err, quitMsg := client.ApplyProxiedIP(rb.session, net.ParseIP(msg.Params[3]), secure)
 			err, quitMsg := client.ApplyProxiedIP(rb.session, net.ParseIP(candidateIP), secure)
 			if err != nil {
 				client.Quit(quitMsg, rb.session)
 				return true
 			} else {
 				if info.AcceptHostname {
 					candidateHostname := msg.Params[2]
 					if candidateHostname != candidateIP {
 						if utils.IsHostname(candidateHostname) {
 							rb.session.rawHostname = candidateHostname
 						} else {
 							// log this at debug level since it may be spammy
 							server.logger.Debug("internal", "invalid hostname from WEBIRC", candidateHostname)
 						}
 					}
 				}
 				return false
 			}
 		}
@ -4085,33 +3809,6 @@ func zncHandler(server *Server, client *Client, msg ircmsg.Message, rb *Response
 	return false
 }
 // REACT <msgid> :<reaction>
 func reactHandler(server *Server, client *Client, msg ircmsg.Message, rb *ResponseBuffer) bool {
 	// This directly uses SQL stuff, since it's targeted at CEF, which requires a DB.
 	_, _, target, sender, _, pm, err := server.historyDB.GetMessage(msg.Params[0])
 	if err != nil {
 		return false
 	}
 	var operation string
 	if server.historyDB.HasReactionFromUser(msg.Params[0], client.AccountName(), msg.Params[1]) {
 		server.historyDB.DeleteReaction(msg.Params[0], client.AccountName(), msg.Params[1])
 		operation = "DEL"
 	} else {
 		server.historyDB.AddReaction(msg.Params[0], client.AccountName(), msg.Params[1])
 		operation = "ADD"
 	}
 	if pm {
 		server.clients.Get(target).Send(nil, client.NickMaskString(), "REACT", operation, msg.Params[0], msg.Params[1])
 		server.clients.Get(sender).Send(nil, client.NickMaskString(), "REACT", operation, msg.Params[0], msg.Params[1])
 	} else {
 		server.channels.Get(target).BroadcastFrom(client.NickMaskString(), "REACT", operation, msg.Params[0], msg.Params[1])
 	}
 	return false
 }
 // fake handler for unknown commands
 func unknownCommandHandler(server *Server, client *Client, msg ircmsg.Message, rb *ResponseBuffer) bool {
 	var message string
--- a/irc/help.go
+++ b/irc/help.go
@ -259,11 +259,6 @@ appropriate channel privs.`,
 		text: `ISON <nickname>{ <nickname>}
 Returns whether the given nicks exist on the network.`,
 	},
 	"isupport": {
 		text: `ISUPPORT
 Returns RPL_ISUPPORT lines describing the server's capabilities.`,
 	},
 	"join": {
 		text: `JOIN <channel>{,<channel>} [<key>{,<key>}]
@ -440,12 +435,6 @@ Replies to a PING. Used to check link connectivity.`,
 		text: `PRIVMSG <target>{,<target>} <text to be sent>
 Sends the text to the given targets as a PRIVMSG.`,
 	},
 	"redact": {
 		text: `REDACT <target> <targetmsgid> [<reason>]
 Removes the message of the target msgid from the chat history of a channel
 or target user.`,
 	},
 	"relaymsg": {
 		text: `RELAYMSG <channel> <spoofed nick> :<message>
@ -634,12 +623,6 @@ for direct use by end users.`,
 		duplicate: true,
 	},
 	"react": {
 		text: `REACT <msgid> <reaction>
 Toggles a reaction to a message. CEF-specific`,
 	},
 	// Informational
 	"modes": {
 		textGenerator: modesTextGenerator,
--- a/irc/history/history.go
+++ b/irc/history/history.go
@ -4,7 +4,6 @@
 package history
 import (
 	"slices"
 	"sync"
 	"time"
@ -32,20 +31,13 @@ const (
 	initialAutoSize = 32
 )
 type Reaction struct {
 	Name        string
 	Total       int
 	SampleUsers []string
 }
 // Item represents an event (e.g., a PRIVMSG or a JOIN) and its associated data
 type Item struct {
 	Type ItemType
 	Nick string
 	// this is the uncasefolded account name, if there's no account it should be set to "*"
-	// in cef, this is always set, at least in theory. cant wait for bugs toc rop up
+	AccountName string
 	Account string
 	// for non-privmsg items, we may stuff some other data in here
 	Message utils.SplitMessage
 	Tags    map[string]string
@ -53,10 +45,8 @@ type Item struct {
 	// for a DM, this is the casefolded nickname of the other party (whether this is
 	// an incoming or outgoing message). this lets us emulate the "query buffer" functionality
 	// required by CHATHISTORY:
-	Target string `json:"Target"`
+	CfCorrespondent string `json:"CfCorrespondent,omitempty"`
 	IsBot           bool   `json:"IsBot,omitempty"`
 	Reactions []Reaction
 }
 // HasMsgid tests whether a message has the message id `msgid`.
@ -165,7 +155,7 @@ func (list *Buffer) betweenHelper(start, end Selector, cutoff time.Time, pred Pr
 	defer func() {
 		if !ascending {
-			slices.Reverse(results)
+			utils.ReverseSlice(results)
 		}
 	}()
@ -222,10 +212,10 @@ func (list *Buffer) allCorrespondents() (results []TargetListing) {
 	stop := list.start
 	for {
-		if !seen.Has(list.buffer[pos].Target) {
+		if !seen.Has(list.buffer[pos].CfCorrespondent) {
-			seen.Add(list.buffer[pos].Target)
+			seen.Add(list.buffer[pos].CfCorrespondent)
 			results = append(results, TargetListing{
-				CfName: list.buffer[pos].Target,
+				CfName: list.buffer[pos].CfCorrespondent,
 				Time:   list.buffer[pos].Message.Time,
 			})
 		}
@ -272,7 +262,7 @@ func (list *Buffer) listCorrespondents(start, end Selector, cutoff time.Time, li
 	}
 	if !ascending {
-		slices.Reverse(results)
+		utils.ReverseSlice(results)
 	}
 	return
@ -290,7 +280,7 @@ func (list *Buffer) MakeSequence(correspondent string, cutoff time.Time) Sequenc
 	var pred Predicate
 	if correspondent != "" {
 		pred = func(item *Item) bool {
-			return item.Target == correspondent
+			return item.CfCorrespondent == correspondent
 		}
 	}
 	return &bufferSequence{
--- a/irc/history/targets.go
+++ b/irc/history/targets.go
@ -4,9 +4,10 @@
 package history
 import (
 	"slices"
 	"sort"
 	"time"
 	"github.com/ergochat/ergo/irc/utils"
 )
 type TargetListing struct {
@ -34,8 +35,8 @@ func MergeTargets(base []TargetListing, extra []TargetListing, start, end time.T
 	results = make([]TargetListing, 0, prealloc)
 	if !ascending {
-		slices.Reverse(base)
+		utils.ReverseSlice(base)
-		slices.Reverse(extra)
+		utils.ReverseSlice(extra)
 	}
 	for len(results) < limit {
@ -65,7 +66,7 @@ func MergeTargets(base []TargetListing, extra []TargetListing, start, end time.T
 	}
 	if !ascending {
-		slices.Reverse(results)
+		utils.ReverseSlice(results)
 	}
 	return
 }
--- a/irc/histserv.go
+++ b/irc/histserv.go
@ -15,14 +15,6 @@ import (
 	"github.com/ergochat/ergo/irc/utils"
 )
 type CanDelete uint
 const (
 	canDeleteAny  CanDelete = iota // User is allowed to delete any message (for a given channel/PM)
 	canDeleteSelf                  // User is allowed to delete their own messages (ditto)
 	canDeleteNone                  // User is not allowed to delete any message (ditto)
 )
 const (
 	histservHelp = `HistServ provides commands related to history.`
 )
@ -100,53 +92,33 @@ func histservForgetHandler(service *ircService, server *Server, client *Client,
 	service.Notice(rb, fmt.Sprintf(client.t("Enqueued account %s for message deletion"), accountName))
 }
 // Returns:
 //
 // 1. `canDeleteAny` if the client allowed to delete other users' messages from the target, ie.:
 //   - the client is a channel operator, or
 //   - the client is an operator with "history" capability
 //
 // 2. `canDeleteSelf` if the client is allowed to delete their own messages from the target
 // 3. `canDeleteNone` otherwise
 func deletionPolicy(server *Server, client *Client, target string) CanDelete {
 	isOper := client.HasRoleCapabs("history")
 	if isOper {
 		return canDeleteAny
 	} else {
 		if server.Config().History.Retention.AllowIndividualDelete {
 			channel := server.channels.Get(target)
 			if channel != nil && channel.ClientIsAtLeast(client, modes.Operator) {
 				return canDeleteAny
 			} else {
 				return canDeleteSelf
 			}
 		} else {
 			return canDeleteNone
 		}
 	}
 }
 func histservDeleteHandler(service *ircService, server *Server, client *Client, command string, params []string, rb *ResponseBuffer) {
 	target, msgid := params[0], params[1] // Fix #1881 2 params are required
-	canDelete := deletionPolicy(server, client, target)
+	// operators can delete; if individual delete is allowed, a chanop or
 	// the message author can delete
 	accountName := "*"
-	if canDelete == canDeleteNone {
+	isChanop := false
-		service.Notice(rb, client.t("Insufficient privileges"))
+	isOper := client.HasRoleCapabs("history")
-		return
+	if !isOper {
-	} else if canDelete == canDeleteSelf {
+		if server.Config().History.Retention.AllowIndividualDelete {
 			channel := server.channels.Get(target)
 			if channel != nil && channel.ClientIsAtLeast(client, modes.Operator) {
 				isChanop = true
 			} else {
 				accountName = client.AccountName()
-		if accountName == "*" {
+			}
 		}
 	}
 	if !isOper && !isChanop && accountName == "*" {
 		service.Notice(rb, client.t("Insufficient privileges"))
 		return
 	}
 	}
 	err := server.DeleteMessage(target, msgid, accountName)
 	if err == nil {
 		service.Notice(rb, client.t("Successfully deleted message"))
 	} else {
 		isOper := client.HasRoleCapabs("history")
 		if isOper {
 			service.Notice(rb, fmt.Sprintf(client.t("Error deleting message: %v"), err))
 		} else {
--- a/irc/isupport/list.go
+++ b/irc/isupport/list.go
@ -11,12 +11,6 @@ import (
 const (
 	maxLastArgLength = 400
 	/* Modern: "As the maximum number of message parameters to any reply is 15,
 	the maximum number of RPL_ISUPPORT tokens that can be advertised is 13."
 	<nickname> [up to 13 parameters] <human-readable trailing>
 	*/
 	maxParameters = 13
 )
 // List holds a list of ISUPPORT tokens
@ -101,7 +95,7 @@ func (il *List) GetDifference(newil *List) [][]string {
 			length += len(token)
 		}
-		if len(cache) == maxParameters || len(token)+length >= maxLastArgLength {
+		if len(cache) == 13 || len(token)+length >= maxLastArgLength {
 			replies = append(replies, cache)
 			cache = make([]string, 0)
 			length = 0
@ -144,7 +138,7 @@ func (il *List) RegenerateCachedReply() (err error) {
 			length += len(token)
 		}
-		if len(cache) == maxParameters || len(token)+length >= maxLastArgLength {
+		if len(cache) == 13 || len(token)+length >= maxLastArgLength {
 			il.CachedReply = append(il.CachedReply, cache)
 			cache = make([]string, 0)
 			length = 0
--- a/irc/jwt/bearer.go
+++ b/irc/jwt/bearer.go
@ -1,158 +0,0 @@
 // Copyright (c) 2024 Shivaram Lingamneni <slingamn@cs.stanford.edu>
 // released under the MIT license
 package jwt
 import (
 	"fmt"
 	"io"
 	"os"
 	"strings"
 	jwt "github.com/golang-jwt/jwt/v5"
 )
 var (
 	ErrAuthDisabled        = fmt.Errorf("JWT authentication is disabled")
 	ErrNoValidAccountClaim = fmt.Errorf("JWT token did not contain an acceptable account name claim")
 )
 // JWTAuthConfig is the config for Ergo to accept JWTs via draft/bearer
 type JWTAuthConfig struct {
 	Enabled    bool                 `yaml:"enabled"`
 	Autocreate bool                 `yaml:"autocreate"`
 	Tokens     []JWTAuthTokenConfig `yaml:"tokens"`
 }
 type JWTAuthTokenConfig struct {
 	Algorithm     string `yaml:"algorithm"`
 	KeyString     string `yaml:"key"`
 	KeyFile       string `yaml:"key-file"`
 	key           any
 	parser        *jwt.Parser
 	AccountClaims []string `yaml:"account-claims"`
 	StripDomain   string   `yaml:"strip-domain"`
 }
 func (j *JWTAuthConfig) Postprocess() error {
 	if !j.Enabled {
 		return nil
 	}
 	if len(j.Tokens) == 0 {
 		return fmt.Errorf("JWT authentication enabled, but no valid tokens defined")
 	}
 	for i := range j.Tokens {
 		if err := j.Tokens[i].Postprocess(); err != nil {
 			return err
 		}
 	}
 	return nil
 }
 func (j *JWTAuthTokenConfig) Postprocess() error {
 	keyBytes, err := j.keyBytes()
 	if err != nil {
 		return err
 	}
 	j.Algorithm = strings.ToLower(j.Algorithm)
 	var methods []string
 	switch j.Algorithm {
 	case "hmac":
 		j.key = keyBytes
 		methods = []string{"HS256", "HS384", "HS512"}
 	case "rsa":
 		rsaKey, err := jwt.ParseRSAPublicKeyFromPEM(keyBytes)
 		if err != nil {
 			return err
 		}
 		j.key = rsaKey
 		methods = []string{"RS256", "RS384", "RS512"}
 	case "eddsa":
 		eddsaKey, err := jwt.ParseEdPublicKeyFromPEM(keyBytes)
 		if err != nil {
 			return err
 		}
 		j.key = eddsaKey
 		methods = []string{"EdDSA"}
 	default:
 		return fmt.Errorf("invalid jwt algorithm: %s", j.Algorithm)
 	}
 	j.parser = jwt.NewParser(jwt.WithValidMethods(methods))
 	if len(j.AccountClaims) == 0 {
 		return fmt.Errorf("JWT auth enabled, but no account-claims specified")
 	}
 	j.StripDomain = strings.ToLower(j.StripDomain)
 	return nil
 }
 func (j *JWTAuthConfig) Validate(t string) (accountName string, err error) {
 	if !j.Enabled || len(j.Tokens) == 0 {
 		return "", ErrAuthDisabled
 	}
 	for i := range j.Tokens {
 		accountName, err = j.Tokens[i].Validate(t)
 		if err == nil {
 			return
 		}
 	}
 	return
 }
 func (j *JWTAuthTokenConfig) keyBytes() (result []byte, err error) {
 	if j.KeyFile != "" {
 		o, err := os.Open(j.KeyFile)
 		if err != nil {
 			return nil, err
 		}
 		defer o.Close()
 		return io.ReadAll(o)
 	}
 	if j.KeyString != "" {
 		return []byte(j.KeyString), nil
 	}
 	return nil, fmt.Errorf("JWT auth enabled, but no JWT key specified")
 }
 // implements jwt.Keyfunc
 func (j *JWTAuthTokenConfig) keyFunc(_ *jwt.Token) (interface{}, error) {
 	return j.key, nil
 }
 func (j *JWTAuthTokenConfig) Validate(t string) (accountName string, err error) {
 	token, err := j.parser.Parse(t, j.keyFunc)
 	if err != nil {
 		return "", err
 	}
 	claims, ok := token.Claims.(jwt.MapClaims)
 	if !ok {
 		// impossible with Parse (as opposed to ParseWithClaims)
 		return "", fmt.Errorf("unexpected type from parsed token claims: %T", claims)
 	}
 	for _, c := range j.AccountClaims {
 		if v, ok := claims[c]; ok {
 			if vstr, ok := v.(string); ok {
 				// validate and strip email addresses:
 				if idx := strings.IndexByte(vstr, '@'); idx != -1 {
 					suffix := vstr[idx+1:]
 					vstr = vstr[:idx]
 					if strings.ToLower(suffix) != j.StripDomain {
 						continue
 					}
 				}
 				return vstr, nil // success
 			}
 		}
 	}
 	return "", ErrNoValidAccountClaim
 }
--- a/irc/jwt/bearer_test.go
+++ b/irc/jwt/bearer_test.go
@ -1,143 +0,0 @@
 package jwt
 import (
 	"testing"
 	jwt "github.com/golang-jwt/jwt/v5"
 )
 const (
 	rsaTestPubKey = `-----BEGIN PUBLIC KEY-----
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwhcCcXrfR/GmoPKxBi0H
 cUl2pUl4acq2m3abFtMMoYTydJdEhgYWfsXuragyEIVkJU1ZnrgedW0QJUcANRGO
 hP/B+MjBevDNsRXQECfhyjfzhz6KWZb4i7C2oImJuAjq/F4qGLdEGQDBpAzof8qv
 9Zt5iN3GXY/EQtQVMFyR/7BPcbPLbHlOtzZ6tVEioXuUxQoai7x3Kc0jIcPWuyGa
 Q04IvsgdaWO6oH4fhPfyVsmX37rYUn79zcqPHS4ieWM1KN9qc7W+/UJIeiwAStpJ
 8gv+OSMrijRZGgQGCeOO5U59GGJC4mqUczB+JFvrlAIv0rggNpl+qalngosNxukB
 uQIDAQAB
 -----END PUBLIC KEY-----`
 	rsaTestPrivKey = `-----BEGIN PRIVATE KEY-----
 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDCFwJxet9H8aag
 8rEGLQdxSXalSXhpyrabdpsW0wyhhPJ0l0SGBhZ+xe6tqDIQhWQlTVmeuB51bRAl
 RwA1EY6E/8H4yMF68M2xFdAQJ+HKN/OHPopZlviLsLagiYm4COr8XioYt0QZAMGk
 DOh/yq/1m3mI3cZdj8RC1BUwXJH/sE9xs8tseU63Nnq1USKhe5TFChqLvHcpzSMh
 w9a7IZpDTgi+yB1pY7qgfh+E9/JWyZffuthSfv3Nyo8dLiJ5YzUo32pztb79Qkh6
 LABK2knyC/45IyuKNFkaBAYJ447lTn0YYkLiapRzMH4kW+uUAi/SuCA2mX6pqWeC
 iw3G6QG5AgMBAAECggEARaAnejoP2ykvE1G8e3Cv2M33x/eBQMI9m6uCmz9+qnqc
 14JkTIfmjffHVXie7RpNAKys16lJE+rZ/eVoh6EStVdiaDLsZYP45evjRcho0Tgd
 Hokq7FSiOMpd2V09kE1yrrHA/DjSLv38eTNAPIejc8IgaR7VyD6Is0iNiVnL7iLa
 mj1zB6+dSeQ5ICYkrihb1gA+SvECsjLZ/5XESXEdHJvxhC0vLAdHmdQf3BPPlrGg
 VHondxL5gt6MFykpOxTFA6f5JkSefhUR/2OcCDpMs6a5GUytjl3rA3aGT6v3CbnR
 ykD6PzyC20EUADQYF2pmJfzbxyRqfNdbSJwQv5QQYQKBgQD4rFdvgZC97L7WhZ5T
 axW8hRW2dH24GIqFT4ZnCg0suyMNshyGvDMuBfGvokN/yACmvsdE0/f57esar+ye
 l9RC+CzGUch08Ke5WdqwACOCNDpx0kJcXKTuLIgkvthdla/oAQQ9T7OgEwDrvaR0
 m8s/Z7Hb3hLD3xdOt6Xjrv/6xQKBgQDHzvbcIkhmWdvaPDT9NEu7psR/fxF5UjqU
 Cca/bfHhySRQs3A1CF57pfwpUqAcSivNf7O+3NI62AKoyMDYv0ek2h6hGk6g5GJ1
 SuXYfjcbkL6SWNV0InsgmzCjvxhyms83xZq7uMClEBvkiKVMdt6zFkwW9eRKtUuZ
 pzVK5RfqZQKBgF5SME/xGw+O7su7ntQROAtrh1LPWKgtVs093sLSgzDGQoN9XWiV
 lewNASEXMPcUy3pzvm2S4OoBnj1fISb+e9py+7i1aI1CgrvBIzvCsbU/TjPCBr21
 vjFA3trhMHw+vJwJVqxSwNUkoCLKqcg5F5yTHllBIGj/A34uFlQIGrvpAoGAextm
 d+1bhExbLBQqZdOh0cWHjjKBVqm2U93OKcYY4Q9oI5zbRqGYbUCwo9k3sxZz9JJ4
 8eDmWsEaqlm+kA0SnFyTwJkP1wvAKhpykTf6xi4hbNP0+DACgu17Q3iLHJmLkQZc
 Nss3TrwlI2KZzgnzXo4fZYotFWasZMhkCngqiw0CgYEAmz2D70RYEauUNE1+zLhS
 6Ox5+PF/8Z0rZOlTghMTfqYcDJa+qQe9pJp7RPgilsgemqo0XtgLKz3ATE5FmMa4
 HRRGXPkMNu6Hzz4Yk4eM/yJqckoEc8azV25myqQ+7QXTwZEvxVbtUWZtxfImGwq+
 s/uzBKNwWf9UPTeIt+4JScg=
 -----END PRIVATE KEY-----`
 )
 func TestJWTBearerAuth(t *testing.T) {
 	j := JWTAuthConfig{
 		Enabled: true,
 		Tokens: []JWTAuthTokenConfig{
 			{
 				Algorithm:     "rsa",
 				KeyString:     rsaTestPubKey,
 				AccountClaims: []string{"preferred_username", "email"},
 				StripDomain:   "example.com",
 			},
 		},
 	}
 	if err := j.Postprocess(); err != nil {
 		t.Fatal(err)
 	}
 	// fixed test vector signed with the RSA privkey:
 	token := "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzbGluZ2FtbiJ9.caPZw2Dl4KZN-SErD5-WZB_lPPveHXaMCoUHxNebb94G9w3VaWDIRdngVU99JKx5nE_yRtpewkHHvXsQnNA_M63GBXGK7afXB8e-kV33QF3v9pXALMP5SzRwMgokyxas0RgHu4e4L0d7dn9o_nkdXp34GX3Pn1MVkUGBH6GdlbOdDHrs04pPQ0Qj-O2U0AIpnZq-X_GQs9ECJo4TlPKWR7Jlq5l9bS0dBnohea4FuqJr232je-dlRVkbCa7nrnFmsIsezsgA3Jb_j9Zu_iv460t_d2eaytbVp9P-DOVfzUfkBsKs-81URQEnTjW6ut445AJz2pxjX92X0GdmORpAkQ"
 	accountName, err := j.Validate(token)
 	if err != nil {
 		t.Errorf("could not validate valid token: %v", err)
 	}
 	if accountName != "slingamn" {
 		t.Errorf("incorrect account name for token: `%s`", accountName)
 	}
 	// programmatically sign a new token, validate it
 	privKey, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(rsaTestPrivKey))
 	if err != nil {
 		t.Fatal(err)
 	}
 	jTok := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims(map[string]any{"preferred_username": "slingamn"}))
 	token, err = jTok.SignedString(privKey)
 	if err != nil {
 		t.Fatal(err)
 	}
 	accountName, err = j.Validate(token)
 	if err != nil {
 		t.Errorf("could not validate valid token: %v", err)
 	}
 	if accountName != "slingamn" {
 		t.Errorf("incorrect account name for token: `%s`", accountName)
 	}
 	// test expiration
 	jTok = jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims(map[string]any{"preferred_username": "slingamn", "exp": 1675740865}))
 	token, err = jTok.SignedString(privKey)
 	if err != nil {
 		t.Fatal(err)
 	}
 	accountName, err = j.Validate(token)
 	if err == nil {
 		t.Errorf("validated expired token")
 	}
 	// test for the infamous algorithm confusion bug
 	jTok = jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims(map[string]any{"preferred_username": "slingamn"}))
 	token, err = jTok.SignedString([]byte(rsaTestPubKey))
 	if err != nil {
 		t.Fatal(err)
 	}
 	accountName, err = j.Validate(token)
 	if err == nil {
 		t.Errorf("validated HS256 token despite RSA being required")
 	}
 	// test no valid claims
 	jTok = jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims(map[string]any{"sub": "slingamn"}))
 	token, err = jTok.SignedString(privKey)
 	if err != nil {
 		t.Fatal(err)
 	}
 	accountName, err = j.Validate(token)
 	if err != ErrNoValidAccountClaim {
 		t.Errorf("expected ErrNoValidAccountClaim, got: %v", err)
 	}
 	// test email addresses
 	jTok = jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims(map[string]any{"email": "Slingamn@example.com"}))
 	token, err = jTok.SignedString(privKey)
 	if err != nil {
 		t.Fatal(err)
 	}
 	accountName, err = j.Validate(token)
 	if err != nil {
 		t.Errorf("could not validate valid token: %v", err)
 	}
 	if accountName != "Slingamn" {
 		t.Errorf("incorrect account name for token: `%s`", accountName)
 	}
 }
--- a/irc/jwt/extjwt.go
+++ b/irc/jwt/extjwt.go
@ -6,15 +6,18 @@ package jwt
 import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
 	"fmt"
 	"os"
 	"time"
-	jwt "github.com/golang-jwt/jwt/v5"
+	"github.com/golang-jwt/jwt"
 )
 var (
-	ErrNoKeys = errors.New("No EXTJWT signing keys are enabled")
+	ErrNoKeys = errors.New("No signing keys are enabled")
 )
 type MapClaims jwt.MapClaims
@ -35,10 +38,22 @@ func (t *JwtServiceConfig) Postprocess() (err error) {
 		if err != nil {
 			return err
 		}
-		t.rsaPrivateKey, err = jwt.ParseRSAPrivateKeyFromPEM(keyBytes)
+		d, _ := pem.Decode(keyBytes)
 		if err != nil {
 			return err
 		}
 		t.rsaPrivateKey, err = x509.ParsePKCS1PrivateKey(d.Bytes)
 		if err != nil {
 			privateKey, err := x509.ParsePKCS8PrivateKey(d.Bytes)
 			if err != nil {
 				return err
 			}
 			if rsaPrivateKey, ok := privateKey.(*rsa.PrivateKey); ok {
 				t.rsaPrivateKey = rsaPrivateKey
 			} else {
 				return fmt.Errorf("Non-RSA key type for extjwt: %T", privateKey)
 			}
 		}
 	}
 	return nil
 }
@ -49,7 +64,7 @@ func (t *JwtServiceConfig) Enabled() bool {
 func (t *JwtServiceConfig) Sign(claims MapClaims) (result string, err error) {
 	claims["exp"] = time.Now().Unix() + int64(t.Expiration/time.Second)
-	claims["now"] = time.Now().Unix()
+
 	if t.rsaPrivateKey != nil {
 		token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims(claims))
 		return token.SignedString(t.rsaPrivateKey)
--- a/irc/kline.go
+++ b/irc/kline.go
@ -253,6 +253,6 @@ func (km *KLineManager) loadFromDatastore() {
 }
-func (server *Server) loadKLines() {
+func (s *Server) loadKLines() {
-	server.klines = NewKLineManager(server)
+	s.klines = NewKLineManager(s)
 }
--- a/irc/listeners.go
+++ b/irc/listeners.go
@ -5,7 +5,6 @@ package irc
 import (
 	"errors"
 	"io/fs"
 	"net"
 	"net/http"
 	"os"
@ -30,7 +29,7 @@ type IRCListener interface {
 // NewListener creates a new listener according to the specifications in the config file
 func NewListener(server *Server, addr string, config utils.ListenerConfig, bindMode os.FileMode) (result IRCListener, err error) {
-	baseListener, err := createBaseListener(server, addr, bindMode)
+	baseListener, err := createBaseListener(addr, bindMode)
 	if err != nil {
 		return
 	}
@ -44,14 +43,11 @@ func NewListener(server *Server, addr string, config utils.ListenerConfig, bindM
 	}
 }
-func createBaseListener(server *Server, addr string, bindMode os.FileMode) (listener net.Listener, err error) {
+func createBaseListener(addr string, bindMode os.FileMode) (listener net.Listener, err error) {
 	addr = strings.TrimPrefix(addr, "unix:")
 	if strings.HasPrefix(addr, "/") {
 		// https://stackoverflow.com/a/34881585
-		removeErr := os.Remove(addr)
+		os.Remove(addr)
 		if removeErr != nil && !errors.Is(removeErr, fs.ErrNotExist) {
 			server.logger.Warning("listeners", "could not delete unix domain listener", addr, removeErr.Error())
 		}
 		listener, err = net.Listen("unix", addr)
 		if err == nil && bindMode != 0 {
 			os.Chmod(addr, bindMode)
--- a/irc/message_cache.go
+++ b/irc/message_cache.go
@ -79,7 +79,8 @@ func (m *MessageCache) Initialize(server *Server, serverTime time.Time, msgid st
 	m.params = params
 	var msg ircmsg.Message
-	if forceTrailing(server.Config(), command) {
+	config := server.Config()
 	if config.Server.Compatibility.forceTrailing && commandsThatMustUseTrailing[command] {
 		msg.ForceTrailing()
 	}
 	msg.Source = nickmask
@ -110,7 +111,8 @@ func (m *MessageCache) InitializeSplitMessage(server *Server, nickmask, accountN
 	m.target = target
 	m.splitMessage = message
-	forceTrailing := forceTrailing(server.Config(), command)
+	config := server.Config()
 	forceTrailing := config.Server.Compatibility.forceTrailing && commandsThatMustUseTrailing[command]
 	if message.Is512() {
 		isTagmsg := command == "TAGMSG"
--- a/irc/modes.go
+++ b/irc/modes.go
@ -158,6 +158,7 @@ func (channel *Channel) ApplyChannelModeChanges(client *Client, isSamode bool, c
 	var alreadySentPrivError bool
 	maskOpCount := 0
 	chname := channel.Name()
 	details := client.Details()
@ -191,11 +192,6 @@ func (channel *Channel) ApplyChannelModeChanges(client *Client, isSamode bool, c
 		}
 	}
 	// should we send 324 RPL_CHANNELMODEIS? standard behavior is to send it for
 	// `MODE #channel`, i.e., an empty list of intended changes, but Ergo will
 	// also send it for no-op changes to zero-argument modes like +i
 	shouldSendModeIsLine := len(changes) == 0
 	for _, change := range changes {
 		if !hasPrivs(change) {
 			if !alreadySentPrivError {
@ -207,6 +203,7 @@ func (channel *Channel) ApplyChannelModeChanges(client *Client, isSamode bool, c
 		switch change.Mode {
 		case modes.BanMask, modes.ExceptMask, modes.InviteMask:
 			maskOpCount += 1
 			if change.Op == modes.List {
 				channel.ShowMaskList(client, change.Mode, rb)
 				continue
@ -215,7 +212,7 @@ func (channel *Channel) ApplyChannelModeChanges(client *Client, isSamode bool, c
 			mask := change.Arg
 			switch change.Op {
 			case modes.Add:
-				if !isSamode && channel.lists[change.Mode].Length() >= client.server.Config().Limits.ChanListModes {
+				if channel.lists[change.Mode].Length() >= client.server.Config().Limits.ChanListModes {
 					if !listFullWarned[change.Mode] {
 						rb.Add(nil, client.server.name, ERR_BANLISTFULL, details.nick, chname, change.Mode.String(), client.t("Channel list is full"))
 						listFullWarned[change.Mode] = true
@ -316,14 +313,11 @@ func (channel *Channel) ApplyChannelModeChanges(client *Client, isSamode bool, c
 		default:
 			// all channel modes with no args, e.g., InviteOnly, Secret
 			if change.Op == modes.List {
 				shouldSendModeIsLine = true
 				continue
 			}
 			if channel.flags.SetMode(change.Mode, change.Op == modes.Add) {
 				applied = append(applied, change)
 			} else {
 				shouldSendModeIsLine = true
 			}
 		}
 	}
@ -343,7 +337,8 @@ func (channel *Channel) ApplyChannelModeChanges(client *Client, isSamode bool, c
 		channel.MarkDirty(includeFlags)
 	}
-	if len(applied) == 0 && !alreadySentPrivError && shouldSendModeIsLine {
+	// #649: don't send 324 RPL_CHANNELMODEIS if we were only working with mask lists
 	if len(applied) == 0 && !alreadySentPrivError && (maskOpCount == 0 || maskOpCount < len(changes)) {
 		args := append([]string{details.nick, chname}, channel.modeStrings(client)...)
 		rb.Add(nil, client.server.name, RPL_CHANNELMODEIS, args...)
 		rb.Add(nil, client.server.name, RPL_CREATIONTIME, details.nick, chname, strconv.FormatInt(channel.createdTime.Unix(), 10))
--- a/irc/mysql/history.go
+++ b/irc/mysql/history.go
@ -11,7 +11,6 @@ import (
 	"fmt"
 	"io"
 	"runtime/debug"
 	"slices"
 	"strings"
 	"sync"
 	"sync/atomic"
@ -31,6 +30,14 @@ const (
 	// maximum length in bytes of any message target (nickname or channel name) in its
 	// canonicalized (i.e., casefolded) state:
 	MaxTargetLength = 64
 	// latest schema of the db
 	latestDbSchema   = "2"
 	keySchemaVersion = "db.version"
 	// minor version indicates rollback-safe upgrades, i.e.,
 	// you can downgrade oragono and everything will work
 	latestDbMinorVersion  = "2"
 	keySchemaMinorVersion = "db.minorversion"
 	cleanupRowLimit       = 50
 	cleanupPauseTime      = 10 * time.Minute
 )
@ -42,16 +49,11 @@ type MySQL struct {
 	logger *logger.Manager
 	insertHistory        *sql.Stmt
 	insertSequence       *sql.Stmt
 	insertConversation   *sql.Stmt
 	insertCorrespondent  *sql.Stmt
 	insertAccountMessage *sql.Stmt
 	getReactionsQuery *sql.Stmt
 	getSingleReaction *sql.Stmt
 	addReaction       *sql.Stmt
 	deleteReaction    *sql.Stmt
 	getMessageById *sql.Stmt
 	stateMutex sync.Mutex
 	config     Config
@ -86,55 +88,197 @@ func (mysql *MySQL) getExpireTime() (expireTime time.Duration) {
 	return
 }
-func (mysql *MySQL) Open() (err error) {
+func (m *MySQL) Open() (err error) {
 	var address string
-	if mysql.config.SocketPath != "" {
+	if m.config.SocketPath != "" {
-		address = fmt.Sprintf("unix(%s)", mysql.config.SocketPath)
+		address = fmt.Sprintf("unix(%s)", m.config.SocketPath)
-	} else if mysql.config.Port != 0 {
+	} else if m.config.Port != 0 {
-		address = fmt.Sprintf("tcp(%s:%d)", mysql.config.Host, mysql.config.Port)
+		address = fmt.Sprintf("tcp(%s:%d)", m.config.Host, m.config.Port)
 	}
-	mysql.db, err = sql.Open("mysql", fmt.Sprintf("%s:%s@%s/%s", mysql.config.User, mysql.config.Password, address, mysql.config.HistoryDatabase))
+	m.db, err = sql.Open("mysql", fmt.Sprintf("%s:%s@%s/%s", m.config.User, m.config.Password, address, m.config.HistoryDatabase))
 	if err != nil {
 		return err
 	}
-	if mysql.config.MaxConns != 0 {
+	if m.config.MaxConns != 0 {
-		mysql.db.SetMaxOpenConns(mysql.config.MaxConns)
+		m.db.SetMaxOpenConns(m.config.MaxConns)
-		mysql.db.SetMaxIdleConns(mysql.config.MaxConns)
+		m.db.SetMaxIdleConns(m.config.MaxConns)
 	}
-	if mysql.config.ConnMaxLifetime != 0 {
+	if m.config.ConnMaxLifetime != 0 {
-		mysql.db.SetConnMaxLifetime(mysql.config.ConnMaxLifetime)
+		m.db.SetConnMaxLifetime(m.config.ConnMaxLifetime)
 	}
-	err = mysql.fixSchemas()
+	err = m.fixSchemas()
 	if err != nil {
 		return err
 	}
-	err = mysql.prepareStatements()
+	err = m.prepareStatements()
 	if err != nil {
 		return err
 	}
-	go mysql.cleanupLoop()
+	go m.cleanupLoop()
-	go mysql.forgetLoop()
+	go m.forgetLoop()
 	return nil
 }
 func (mysql *MySQL) fixSchemas() (err error) {
-	// 3M now handles this
+	_, err = mysql.db.Exec(`CREATE TABLE IF NOT EXISTS metadata (
 		key_name VARCHAR(32) primary key,
 		value VARCHAR(32) NOT NULL
 	) CHARSET=ascii COLLATE=ascii_bin;`)
 	if err != nil {
 		return err
 	}
 	var schema string
 	err = mysql.db.QueryRow(`select value from metadata where key_name = ?;`, keySchemaVersion).Scan(&schema)
 	if err == sql.ErrNoRows {
 		err = mysql.createTables()
 		if err != nil {
 			return
 		}
 		_, err = mysql.db.Exec(`insert into metadata (key_name, value) values (?, ?);`, keySchemaVersion, latestDbSchema)
 		if err != nil {
 			return
 		}
 		_, err = mysql.db.Exec(`insert into metadata (key_name, value) values (?, ?);`, keySchemaMinorVersion, latestDbMinorVersion)
 		if err != nil {
 			return
 		}
 		return
 	} else if err == nil && schema != latestDbSchema {
 		// TODO figure out what to do about schema changes
 		return fmt.Errorf("incompatible schema: got %s, expected %s", schema, latestDbSchema)
 	} else if err != nil {
 		return err
 	}
 	var minorVersion string
 	err = mysql.db.QueryRow(`select value from metadata where key_name = ?;`, keySchemaMinorVersion).Scan(&minorVersion)
 	if err == sql.ErrNoRows {
 		// XXX for now, the only minor version upgrade is the account tracking tables
 		err = mysql.createComplianceTables()
 		if err != nil {
 			return
 		}
 		err = mysql.createCorrespondentsTable()
 		if err != nil {
 			return
 		}
 		_, err = mysql.db.Exec(`insert into metadata (key_name, value) values (?, ?);`, keySchemaMinorVersion, latestDbMinorVersion)
 		if err != nil {
 			return
 		}
 	} else if err == nil && minorVersion == "1" {
 		// upgrade from 2.1 to 2.2: create the correspondents table
 		err = mysql.createCorrespondentsTable()
 		if err != nil {
 			return
 		}
 		_, err = mysql.db.Exec(`update metadata set value = ? where key_name = ?;`, latestDbMinorVersion, keySchemaMinorVersion)
 		if err != nil {
 			return
 		}
 	} else if err == nil && minorVersion != latestDbMinorVersion {
 		// TODO: if minorVersion < latestDbMinorVersion, upgrade,
 		// if latestDbMinorVersion < minorVersion, ignore because backwards compatible
 	}
 	return
 }
 func (mysql *MySQL) createTables() (err error) {
-	// 3M now handles this
+	_, err = mysql.db.Exec(`CREATE TABLE history (
 		id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
 		data BLOB NOT NULL,
 		msgid BINARY(16) NOT NULL,
 		KEY (msgid(4))
 	) CHARSET=ascii COLLATE=ascii_bin;`)
 	if err != nil {
 		return err
 	}
 	_, err = mysql.db.Exec(fmt.Sprintf(`CREATE TABLE sequence (
 		history_id BIGINT UNSIGNED NOT NULL PRIMARY KEY,
 		target VARBINARY(%[1]d) NOT NULL,
 		nanotime BIGINT UNSIGNED NOT NULL,
 		KEY (target, nanotime)
 	) CHARSET=ascii COLLATE=ascii_bin;`, MaxTargetLength))
 	if err != nil {
 		return err
 	}
 	/* XXX: this table used to be:
 	CREATE TABLE sequence (
 		id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
 		target VARBINARY(%[1]d) NOT NULL,
 		nanotime BIGINT UNSIGNED NOT NULL,
 		history_id BIGINT NOT NULL,
 		KEY (target, nanotime),
 		KEY (history_id)
 	) CHARSET=ascii COLLATE=ascii_bin;
 	Some users may still be using the old schema.
 	*/
 	_, err = mysql.db.Exec(fmt.Sprintf(`CREATE TABLE conversations (
 		id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
 		target VARBINARY(%[1]d) NOT NULL,
 		correspondent VARBINARY(%[1]d) NOT NULL,
 		nanotime BIGINT UNSIGNED NOT NULL,
 		history_id BIGINT NOT NULL,
 		KEY (target, correspondent, nanotime),
 		KEY (history_id)
 	) CHARSET=ascii COLLATE=ascii_bin;`, MaxTargetLength))
 	if err != nil {
 		return err
 	}
 	err = mysql.createCorrespondentsTable()
 	if err != nil {
 		return err
 	}
 	err = mysql.createComplianceTables()
 	if err != nil {
 		return err
 	}
 	return nil
 }
 func (mysql *MySQL) createCorrespondentsTable() (err error) {
 	_, err = mysql.db.Exec(fmt.Sprintf(`CREATE TABLE correspondents (
 		id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
 		target VARBINARY(%[1]d) NOT NULL,
 		correspondent VARBINARY(%[1]d) NOT NULL,
 		nanotime BIGINT UNSIGNED NOT NULL,
 		UNIQUE KEY (target, correspondent),
 		KEY (target, nanotime),
 		KEY (nanotime)
 	) CHARSET=ascii COLLATE=ascii_bin;`, MaxTargetLength))
 	return
 }
 func (mysql *MySQL) createComplianceTables() (err error) {
-	// 3M now handles this
+	_, err = mysql.db.Exec(fmt.Sprintf(`CREATE TABLE account_messages (
 		history_id BIGINT UNSIGNED NOT NULL PRIMARY KEY,
 		account VARBINARY(%[1]d) NOT NULL,
 		KEY (account, history_id)
 	) CHARSET=ascii COLLATE=ascii_bin;`, MaxTargetLength))
 	if err != nil {
 		return err
 	}
 	_, err = mysql.db.Exec(fmt.Sprintf(`CREATE TABLE forget (
 		id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
 		account VARBINARY(%[1]d) NOT NULL
 	) CHARSET=ascii COLLATE=ascii_bin;`, MaxTargetLength))
 	if err != nil {
 		return err
 	}
 	return nil
 }
@ -182,6 +326,10 @@ func (mysql *MySQL) doCleanup(age time.Duration) (count int, err error) {
 	mysql.logger.Debug("mysql", fmt.Sprintf("deleting %d history rows, max age %s", len(ids), utils.NanoToTimestamp(maxNanotime)))
 	if maxNanotime != 0 {
 		mysql.deleteCorrespondents(ctx, maxNanotime)
 	}
 	return len(ids), mysql.deleteHistoryIDs(ctx, ids)
 }
@ -198,14 +346,21 @@ func (mysql *MySQL) deleteHistoryIDs(ctx context.Context, ids []uint64) (err err
 	inBuf.WriteRune(')')
 	inClause := inBuf.String()
 	_, err = mysql.db.ExecContext(ctx, fmt.Sprintf(`DELETE FROM conversations WHERE history_id in %s;`, inClause))
 	if err != nil {
 		return
 	}
 	_, err = mysql.db.ExecContext(ctx, fmt.Sprintf(`DELETE FROM sequence WHERE history_id in %s;`, inClause))
 	if err != nil {
 		return
 	}
 	if mysql.isTrackingAccountMessages() {
 		_, err = mysql.db.ExecContext(ctx, fmt.Sprintf(`DELETE FROM account_messages WHERE history_id in %s;`, inClause))
 		if err != nil {
 			return
 		}
 	}
-	fmt.Printf(`DELETE FROM history WHERE msgid in %s;`, inClause)
+	_, err = mysql.db.ExecContext(ctx, fmt.Sprintf(`DELETE FROM history WHERE id in %s;`, inClause))
 	_, err = mysql.db.ExecContext(ctx, fmt.Sprintf(`DELETE FROM history WHERE msgid in %s;`, inClause))
 	if err != nil {
 		return
 	}
@ -214,35 +369,57 @@ func (mysql *MySQL) deleteHistoryIDs(ctx context.Context, ids []uint64) (err err
 }
 func (mysql *MySQL) selectCleanupIDs(ctx context.Context, age time.Duration) (ids []uint64, maxNanotime int64, err error) {
 	before := timestampSnowflake(time.Now().Add(-age))
 	maxNanotime = time.Now().Add(-age).Unix() * 1000000000
 	rows, err := mysql.db.QueryContext(ctx, `
-		SELECT history.msgid
+		SELECT history.id, sequence.nanotime, conversations.nanotime
 		FROM history
-		WHERE msgid < ?
+		LEFT JOIN sequence ON history.id = sequence.history_id
-		ORDER BY history.msgid LIMIT ?;`, before, cleanupRowLimit)
+		LEFT JOIN conversations on history.id = conversations.history_id
 		ORDER BY history.id LIMIT ?;`, cleanupRowLimit)
 	if err != nil {
 		return
 	}
 	defer rows.Close()
-	ids = make([]uint64, cleanupRowLimit)
+	idset := make(map[uint64]struct{}, cleanupRowLimit)
-
+	threshold := time.Now().Add(-age).UnixNano()
 	i := 0
 	for rows.Next() {
 		var id uint64
-		err = rows.Scan(&id)
+		var seqNano, convNano sql.NullInt64
 		err = rows.Scan(&id, &seqNano, &convNano)
 		if err != nil {
 			return
 		}
 		nanotime := extractNanotime(seqNano, convNano)
 		// returns 0 if not found; in that case the data is inconsistent
 		// and we should delete the entry
 		if nanotime < threshold {
 			idset[id] = struct{}{}
 			if nanotime > maxNanotime {
 				maxNanotime = nanotime
 			}
 		}
 	}
 	ids = make([]uint64, len(idset))
 	i := 0
 	for id := range idset {
 		ids[i] = id
 		i++
 	}
 	ids = ids[0:i]
 	return
 }
 func (mysql *MySQL) deleteCorrespondents(ctx context.Context, threshold int64) {
 	result, err := mysql.db.ExecContext(ctx, `DELETE FROM correspondents WHERE nanotime <= (?);`, threshold)
 	if err != nil {
 		mysql.logError("error deleting correspondents", err)
 	} else {
 		count, err := result.RowsAffected()
 		if !mysql.logError("error deleting correspondents", err) {
 			mysql.logger.Debug(fmt.Sprintf("deleted %d correspondents entries", count))
 		}
 	}
 }
 // wait for forget queue items and process them one by one
 func (mysql *MySQL) forgetLoop() {
 	defer func() {
@ -348,7 +525,23 @@ func (mysql *MySQL) doForgetIteration(account string) (count int, err error) {
 func (mysql *MySQL) prepareStatements() (err error) {
 	mysql.insertHistory, err = mysql.db.Prepare(`INSERT INTO history
-		(data, msgid, target, sender, nanotime) VALUES (?, ?, ?, ?, ?);`)
+		(data, msgid) VALUES (?, ?);`)
 	if err != nil {
 		return
 	}
 	mysql.insertSequence, err = mysql.db.Prepare(`INSERT INTO sequence
 		(target, nanotime, history_id) VALUES (?, ?, ?);`)
 	if err != nil {
 		return
 	}
 	mysql.insertConversation, err = mysql.db.Prepare(`INSERT INTO conversations
 		(target, correspondent, nanotime, history_id) VALUES (?, ?, ?, ?);`)
 	if err != nil {
 		return
 	}
 	mysql.insertCorrespondent, err = mysql.db.Prepare(`INSERT INTO correspondents
 		(target, correspondent, nanotime) VALUES (?, ?, ?)
 		ON DUPLICATE KEY UPDATE nanotime = GREATEST(nanotime, ?);`)
 	if err != nil {
 		return
 	}
@ -358,38 +551,6 @@ func (mysql *MySQL) prepareStatements() (err error) {
 		return
 	}
 	mysql.getReactionsQuery, err = mysql.db.Prepare(`select react, count(*) as total, (select JSON_ARRAYAGG(user)
                                    from reactions r
                                    where r.msgid = main.msgid
                                      and r.react = main.react
                                    limit 3) as sample
 	from reactions as main
 	where main.msgid = ?
 	group by react, msgid;`)
 	if err != nil {
 		return
 	}
 	mysql.getSingleReaction, err = mysql.db.Prepare(`SELECT COUNT(*) FROM reactions WHERE msgid = ? AND user = ? AND react = ?`)
 	if err != nil {
 		return
 	}
 	mysql.deleteReaction, err = mysql.db.Prepare(`DELETE FROM reactions WHERE msgid = ? AND user = ? AND react = ?`)
 	if err != nil {
 		return
 	}
 	mysql.addReaction, err = mysql.db.Prepare(`INSERT INTO reactions(msgid, user, react) VALUES (?, ?, ?)`)
 	if err != nil {
 		return
 	}
 	mysql.getMessageById, err = mysql.db.Prepare(`SELECT msgid, data, target, sender, nanotime, pm FROM history WHERE msgid = ?`)
 	if err != nil {
 		return
 	}
 	return
 }
@ -446,6 +607,11 @@ func (mysql *MySQL) AddChannelItem(target string, item history.Item, account str
 		return
 	}
 	err = mysql.insertSequenceEntry(ctx, target, item.Message.Time.UnixNano(), id)
 	if err != nil {
 		return
 	}
 	err = mysql.insertAccountMessageEntry(ctx, id, account)
 	if err != nil {
 		return
@ -454,21 +620,39 @@ func (mysql *MySQL) AddChannelItem(target string, item history.Item, account str
 	return
 }
 func (mysql *MySQL) insertSequenceEntry(ctx context.Context, target string, messageTime int64, id int64) (err error) {
 	_, err = mysql.insertSequence.ExecContext(ctx, target, messageTime, id)
 	mysql.logError("could not insert sequence entry", err)
 	return
 }
 func (mysql *MySQL) insertConversationEntry(ctx context.Context, target, correspondent string, messageTime int64, id int64) (err error) {
 	_, err = mysql.insertConversation.ExecContext(ctx, target, correspondent, messageTime, id)
 	mysql.logError("could not insert conversations entry", err)
 	return
 }
 func (mysql *MySQL) insertCorrespondentsEntry(ctx context.Context, target, correspondent string, messageTime int64, historyId int64) (err error) {
 	_, err = mysql.insertCorrespondent.ExecContext(ctx, target, correspondent, messageTime, messageTime)
 	mysql.logError("could not insert conversations entry", err)
 	return
 }
 func (mysql *MySQL) insertBase(ctx context.Context, item history.Item) (id int64, err error) {
-	var value []byte
+	value, err := marshalItem(&item)
 	value, err = marshalItem(&item)
 	if mysql.logError("could not marshal item", err) {
 		return
 	}
-	var account = item.Account
+
-	if account == "" {
+	msgidBytes, err := decodeMsgid(item.Message.Msgid)
-		account = "*"
+	if mysql.logError("could not decode msgid", err) {
 	}
 	result, err := mysql.insertHistory.ExecContext(ctx, value, item.Message.Msgid, item.Target, account, item.Message.Time.UnixNano())
 	if mysql.logError("could not insert item", err) {
 		return
 	}
 	result, err := mysql.insertHistory.ExecContext(ctx, value, msgidBytes)
 	if mysql.logError("could not insert item", err) {
 		return
 	}
 	id, err = result.LastInsertId()
 	if mysql.logError("could not insert item", err) {
 		return
@ -502,7 +686,36 @@ func (mysql *MySQL) AddDirectMessage(sender, senderAccount, recipient, recipient
 	ctx, cancel := context.WithTimeout(context.Background(), mysql.getTimeout())
 	defer cancel()
-	_, err = mysql.insertBase(ctx, item)
+	id, err := mysql.insertBase(ctx, item)
 	if err != nil {
 		return
 	}
 	nanotime := item.Message.Time.UnixNano()
 	if senderAccount != "" {
 		err = mysql.insertConversationEntry(ctx, senderAccount, recipient, nanotime, id)
 		if err != nil {
 			return
 		}
 		err = mysql.insertCorrespondentsEntry(ctx, senderAccount, recipient, nanotime, id)
 		if err != nil {
 			return
 		}
 	}
 	if recipientAccount != "" && sender != recipient {
 		err = mysql.insertConversationEntry(ctx, recipientAccount, sender, nanotime, id)
 		if err != nil {
 			return
 		}
 		err = mysql.insertCorrespondentsEntry(ctx, recipientAccount, sender, nanotime, id)
 		if err != nil {
 			return
 		}
 	}
 	err = mysql.insertAccountMessageEntry(ctx, id, senderAccount)
 	if err != nil {
 		return
 	}
@ -511,7 +724,7 @@ func (mysql *MySQL) AddDirectMessage(sender, senderAccount, recipient, recipient
 }
 // note that accountName is the unfolded name
-func (mysql *MySQL) DeleteMsgid(msgid, account string) (err error) {
+func (mysql *MySQL) DeleteMsgid(msgid, accountName string) (err error) {
 	if mysql.db == nil {
 		return nil
 	}
@ -524,11 +737,11 @@ func (mysql *MySQL) DeleteMsgid(msgid, account string) (err error) {
 		return
 	}
-	if account != "*" {
+	if accountName != "*" {
 		var item history.Item
 		err = unmarshalItem(data, &item)
 		// delete if the entry is corrupt
-		if err == nil && item.Account != account {
+		if err == nil && item.AccountName != accountName {
 			return ErrDisallowed
 		}
 	}
@ -539,10 +752,7 @@ func (mysql *MySQL) DeleteMsgid(msgid, account string) (err error) {
 }
 func (mysql *MySQL) Export(account string, writer io.Writer) {
-	// no eu presence...
+	if mysql.db == nil {
 	// maybe fix this when i know the new schema works
 	return
 	/*if mysql.db == nil {
 		return
 	}
@ -554,8 +764,10 @@ func (mysql *MySQL) Export(account string, writer io.Writer) {
 			defer cancel()
 			rows, rowsErr := mysql.db.QueryContext(ctx, `
-				SELECT history.data, msgid, target FROM history
+				SELECT account_messages.history_id, history.data, sequence.target FROM account_messages
-				WHERE sender = ? AND account_messages.history_id > ?
+				INNER JOIN history ON history.id = account_messages.history_id
 				INNER JOIN sequence ON account_messages.history_id = sequence.history_id
 				WHERE account_messages.account = ? AND account_messages.history_id > ?
 				LIMIT ?`, account, lastSeen, cleanupRowLimit)
 			if rowsErr != nil {
 				err = rowsErr
@ -567,7 +779,7 @@ func (mysql *MySQL) Export(account string, writer io.Writer) {
 				var blob, jsonBlob []byte
 				var target string
 				var item history.Item
-				err = rows.Scan(&blob, &id, &target)
+				err = rows.Scan(&id, &blob, &target)
 				if err != nil {
 					return
 				}
@ -575,7 +787,7 @@ func (mysql *MySQL) Export(account string, writer io.Writer) {
 				if err != nil {
 					return
 				}
-				item.Target = target
+				item.CfCorrespondent = target
 				jsonBlob, err = json.Marshal(item)
 				if err != nil {
 					return
@ -595,66 +807,28 @@ func (mysql *MySQL) Export(account string, writer io.Writer) {
 	}
 	mysql.logError("could not export history", err)
 	return*/
 }
 // Kinda an intermediary function due to the CEF DB structure
 func (mysql *MySQL) GetMessage(msgid string) (id uint64, item history.Item, target string, sender string, nanotime uint64, pm bool, err error) {
 	ctx, cancel := context.WithTimeout(context.Background(), mysql.getTimeout())
 	defer cancel()
 	var data []byte
 	row := mysql.getMessageById.QueryRowContext(ctx, msgid)
 	err = row.Scan(&id, &data, &target, &sender, &nanotime, &pm)
 	if err != nil {
 		return
 	}
 	err = unmarshalItem(data, &item)
 	return
 }
 func (mysql *MySQL) HasReactionFromUser(msgid string, user string, reaction string) (exists bool) {
 	ctx, cancel := context.WithTimeout(context.Background(), mysql.getTimeout())
 	defer cancel()
 	row := mysql.getSingleReaction.QueryRowContext(ctx, msgid, user, reaction)
 	var count int
 	row.Scan(&count)
 	return count > 0
 }
 func (mysql *MySQL) AddReaction(msgid string, user string, reaction string) (err error) {
 	ctx, cancel := context.WithTimeout(context.Background(), mysql.getTimeout())
 	defer cancel()
 	_, err = mysql.addReaction.ExecContext(ctx, msgid, user, reaction)
 	return
 }
 func (mysql *MySQL) DeleteReaction(msgid string, user string, reaction string) (err error) {
 	ctx, cancel := context.WithTimeout(context.Background(), mysql.getTimeout())
 	defer cancel()
 	_, err = mysql.deleteReaction.ExecContext(ctx, msgid, user, reaction)
 	return
 }
 func (mysql *MySQL) lookupMsgid(ctx context.Context, msgid string, includeData bool) (result time.Time, id uint64, data []byte, err error) {
 	decoded, err := decodeMsgid(msgid)
 	if err != nil {
 		return
 	}
-	cols := `history.nanotime`
+	cols := `sequence.nanotime, conversations.nanotime`
 	if includeData {
-		cols = `history.nanotime, history.id, history.data`
+		cols = `sequence.nanotime, conversations.nanotime, history.id, history.data`
 	}
 	// Since CEF uses snowflakes and vanilla ergo uses blobs, we cast as int to make it function.
 	// May have to adjust it some day
 	row := mysql.db.QueryRowContext(ctx, fmt.Sprintf(`
 		SELECT %s FROM history
-		WHERE history.msgid = CAST(? AS UNSIGNED) LIMIT 1;`, cols), msgid)
+		LEFT JOIN sequence ON history.id = sequence.history_id
-	var nanoSeq sql.NullInt64
+		LEFT JOIN conversations ON history.id = conversations.history_id
 		WHERE history.msgid = ? LIMIT 1;`, cols), decoded)
 	var nanoSeq, nanoConv sql.NullInt64
 	if !includeData {
-		err = row.Scan(&nanoSeq)
+		err = row.Scan(&nanoSeq, &nanoConv)
 	} else {
-		err = row.Scan(&nanoSeq, &id, &data)
+		err = row.Scan(&nanoSeq, &nanoConv, &id, &data)
 	}
 	if err != sql.ErrNoRows {
 		mysql.logError("could not resolve msgid to time", err)
@ -662,7 +836,7 @@ func (mysql *MySQL) lookupMsgid(ctx context.Context, msgid string, includeData b
 	if err != nil {
 		return
 	}
-	nanotime := nanoSeq.Int64
+	nanotime := extractNanotime(nanoSeq, nanoConv)
 	if nanotime == 0 {
 		err = sql.ErrNoRows
 		return
@ -671,6 +845,15 @@ func (mysql *MySQL) lookupMsgid(ctx context.Context, msgid string, includeData b
 	return
 }
 func extractNanotime(seq, conv sql.NullInt64) (result int64) {
 	if seq.Valid {
 		return seq.Int64
 	} else if conv.Valid {
 		return conv.Int64
 	}
 	return
 }
 func (mysql *MySQL) selectItems(ctx context.Context, query string, args ...interface{}) (results []history.Item, err error) {
 	rows, err := mysql.db.QueryContext(ctx, query, args...)
 	if mysql.logError("could not select history items", err) {
@ -681,10 +864,8 @@ func (mysql *MySQL) selectItems(ctx context.Context, query string, args ...inter
 	for rows.Next() {
 		var blob []byte
 		var msgid uint64
 		var item history.Item
-
+		err = rows.Scan(&blob)
 		err = rows.Scan(&blob, &msgid)
 		if mysql.logError("could not scan history item", err) {
 			return
 		}
@ -692,36 +873,17 @@ func (mysql *MySQL) selectItems(ctx context.Context, query string, args ...inter
 		if mysql.logError("could not unmarshal history item", err) {
 			return
 		}
 		reactions, rErr := mysql.getReactionsQuery.Query(msgid)
 		if mysql.logError("could not get reactions", rErr) {
 			return
 		}
 		var react string
 		var total int
 		var sample string
 		for reactions.Next() {
 			reactions.Scan(&react, &total, &sample)
 			var sampleDecoded []string
 			json.Unmarshal([]byte(sample), &sampleDecoded)
 			item.Reactions = append(item.Reactions, history.Reaction{
 				Name:        react,
 				Total:       total,
 				SampleUsers: sampleDecoded,
 			})
 		}
 		results = append(results, item)
 	}
 	return
 }
 func timestampSnowflake(t time.Time) uint64 {
 	var ts = t.Unix() & 0xffffffffffff
 	return uint64(ts << 16)
 }
 func (mysql *MySQL) betweenTimestamps(ctx context.Context, target, correspondent string, after, before, cutoff time.Time, limit int) (results []history.Item, err error) {
 	useSequence := correspondent == ""
 	table := "sequence"
 	if !useSequence {
 		table = "conversations"
 	}
 	after, before, ascending := history.MinMaxAsc(after, before, cutoff)
 	direction := "ASC"
@ -730,30 +892,32 @@ func (mysql *MySQL) betweenTimestamps(ctx context.Context, target, correspondent
 	}
 	var queryBuf strings.Builder
-	args := make([]interface{}, 0, 7)
+
-	if correspondent == "" {
+	args := make([]interface{}, 0, 6)
-		fmt.Fprintf(&queryBuf, "SELECT data, msgid FROM history WHERE target = ? ")
+	fmt.Fprintf(&queryBuf,
 		"SELECT history.data from history INNER JOIN %[1]s ON history.id = %[1]s.history_id WHERE", table)
 	if useSequence {
 		fmt.Fprintf(&queryBuf, " sequence.target = ?")
 		args = append(args, target)
 	} else {
-		fmt.Fprintf(&queryBuf, "SELECT data, msgid FROM history WHERE (target = ? and sender = ?) OR  (target = ? and sender = ?)")
+		fmt.Fprintf(&queryBuf, " conversations.target = ? AND conversations.correspondent = ?")
-		args = append(args, target, correspondent, correspondent, target)
+		args = append(args, target)
 		args = append(args, correspondent)
 	}
 	if !after.IsZero() {
-		fmt.Fprintf(&queryBuf, " AND nanotime > ?")
+		fmt.Fprintf(&queryBuf, " AND %s.nanotime > ?", table)
 		args = append(args, after.UnixNano())
 	}
 	if !before.IsZero() {
-		fmt.Fprintf(&queryBuf, " AND nanotime <= ?")
+		fmt.Fprintf(&queryBuf, " AND %s.nanotime < ?", table)
 		args = append(args, before.UnixNano())
 	}
-
+	fmt.Fprintf(&queryBuf, " ORDER BY %[1]s.nanotime %[2]s LIMIT ?;", table, direction)
 	fmt.Fprintf(&queryBuf, " ORDER BY nanotime %[1]s LIMIT ?;", direction)
 	args = append(args, limit)
 	results, err = mysql.selectItems(ctx, queryBuf.String(), args...)
 	if err == nil && !ascending {
-		slices.Reverse(results)
+		utils.ReverseSlice(results)
 	}
 	return
 }
@ -766,19 +930,19 @@ func (mysql *MySQL) listCorrespondentsInternal(ctx context.Context, target strin
 	}
 	var queryBuf strings.Builder
-	args := make([]interface{}, 0, 5)
+	args := make([]interface{}, 0, 4)
-	queryBuf.WriteString(`SELECT target, sender, nanotime from history
+	queryBuf.WriteString(`SELECT correspondents.correspondent, correspondents.nanotime from correspondents
-		WHERE target = ? OR (sender = ? and pm = true)`)
+		WHERE target = ?`)
-	args = append(args, target, target)
+	args = append(args, target)
 	if !after.IsZero() {
-		queryBuf.WriteString(" AND nanotime > ?")
+		queryBuf.WriteString(" AND correspondents.nanotime > ?")
 		args = append(args, after.UnixNano())
 	}
 	if !before.IsZero() {
-		queryBuf.WriteString(" AND nanotime < ?")
+		queryBuf.WriteString(" AND correspondents.nanotime < ?")
 		args = append(args, before.UnixNano())
 	}
-	fmt.Fprintf(&queryBuf, " ORDER BY nanotime %s LIMIT ?;", direction)
+	fmt.Fprintf(&queryBuf, " ORDER BY correspondents.nanotime %s LIMIT ?;", direction)
 	args = append(args, limit)
 	query := queryBuf.String()
@ -787,30 +951,21 @@ func (mysql *MySQL) listCorrespondentsInternal(ctx context.Context, target strin
 		return
 	}
 	defer rows.Close()
-	var msgTarget string
+	var correspondent string
 	var msgSender string
 	var nanotime int64
 	for rows.Next() {
-		err = rows.Scan(&msgTarget, &msgSender, &nanotime)
+		err = rows.Scan(&correspondent, &nanotime)
 		if err != nil {
 			return
 		}
 		if msgTarget == target {
 		results = append(results, history.TargetListing{
-				CfName: msgSender,
+			CfName: correspondent,
 			Time:   time.Unix(0, nanotime),
 		})
 		} else {
 			results = append(results, history.TargetListing{
 				CfName: msgTarget,
 				Time:   time.Unix(0, nanotime),
 			})
 		}
 	}
 	if !ascending {
-		slices.Reverse(results)
+		utils.ReverseSlice(results)
 	}
 	return
@ -886,7 +1041,6 @@ func (s *mySQLHistorySequence) Between(start, end history.Selector, limit int) (
 	defer cancel()
 	startTime := start.Time
 	if start.Msgid != "" {
 		startTime, _, _, err = s.mysql.lookupMsgid(ctx, start.Msgid, false)
 		if err != nil {
@ -900,7 +1054,6 @@ func (s *mySQLHistorySequence) Between(start, end history.Selector, limit int) (
 	endTime := end.Time
 	if end.Msgid != "" {
 		endTime, _, _, err = s.mysql.lookupMsgid(ctx, end.Msgid, false)
 		if err != nil {
 			if err == sql.ErrNoRows {
 				return nil, nil
@ -947,41 +1100,3 @@ func (mysql *MySQL) MakeSequence(target, correspondent string, cutoff time.Time)
 		cutoff:        cutoff,
 	}
 }
 func (mysql *MySQL) GetPMs(casefoldedUser string) (results map[string]int64, err error) {
 	if mysql.db == nil {
 		return
 	}
 	results = make(map[string]int64)
 	ctx, cancel := context.WithTimeout(context.Background(), mysql.getTimeout())
 	defer cancel()
 	var queryBuf strings.Builder
 	args := make([]interface{}, 0)
 	queryBuf.WriteString(`SELECT max(nanotime), target, sender FROM history WHERE target = ? OR (sender = ? and pm = true) GROUP BY target, sender;`)
 	args = append(args, casefoldedUser, casefoldedUser)
 	rows, err := mysql.db.QueryContext(ctx, queryBuf.String(), args...)
 	if mysql.logError("could not get pms", err) {
 		return
 	}
 	defer rows.Close()
 	var last int64
 	var target, sender string
 	for rows.Next() {
 		err = rows.Scan(&last, &target, &sender)
 		if mysql.logError("could not get pms", err) {
 			return
 		}
 		// We really don't need nanosecond precision
 		if target != casefoldedUser {
 			results[target] = last / 1000000
 		} else {
 			results[sender] = last / 1000000
 		}
 	}
 	return
 }
--- a/irc/mysql/serialization.go
+++ b/irc/mysql/serialization.go
@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"github.com/ergochat/ergo/irc/history"
 	"github.com/ergochat/ergo/irc/utils"
 )
 // 123 / '{' is the magic number that means JSON;
@ -16,3 +17,7 @@ func marshalItem(item *history.Item) (result []byte, err error) {
 func unmarshalItem(data []byte, result *history.Item) (err error) {
 	return json.Unmarshal(data, result)
 }
 func decodeMsgid(msgid string) ([]byte, error) {
 	return utils.B32Encoder.DecodeString(msgid)
 }
--- a/irc/nickname.go
+++ b/irc/nickname.go
@ -43,8 +43,6 @@ func performNickChange(server *Server, client *Client, target *Client, session *
 		}
 	} else if err == errNicknameReserved {
 		if !isSanick {
 			// see #1594 for context: ERR_NICKNAMEINUSE can confuse clients if the nickname is not
 			// literally in use:
 			if !client.registered {
 				rb.Add(nil, server.name, ERR_NICKNAMEINUSE, details.nick, utils.SafeErrorParam(nickname), client.t("Nickname is reserved by a different account"))
 			}
@ -95,7 +93,7 @@ func performNickChange(server *Server, client *Client, target *Client, session *
 	histItem := history.Item{
 		Type:        history.Nick,
 		Nick:        origNickMask,
-		Account: details.account,
+		AccountName: details.accountName,
 		Message:     message,
 		IsBot:       isBot,
 	}
@ -122,12 +120,8 @@ func performNickChange(server *Server, client *Client, target *Client, session *
 	}
 	for _, channel := range target.Channels() {
 		if channel.memberIsVisible(client) {
 			// I LOVE MUTATING STATE!
 			histItem.Target = channel.NameCasefolded()
 		channel.AddHistoryItem(histItem, details.account)
 	}
 	}
 	newCfnick := target.NickCasefolded()
 	if newCfnick != details.nickCasefolded {
--- a/irc/nickserv.go
+++ b/irc/nickserv.go
@ -1398,11 +1398,6 @@ func nsCertHandler(service *ircService, server *Server, client *Client, command
 	case "add", "del":
 		if 2 <= len(params) {
 			target, certfp = params[0], params[1]
 			if cftarget, err := CasefoldName(target); err == nil && client.Account() == cftarget {
 				// If the target is equal to the account, then the user accidentally invoked operator
 				// syntax (cert add mynick <fp>) instead of self syntax (cert add <fp>).
 				target = ""
 			}
 		} else if len(params) == 1 {
 			certfp = params[0]
 		} else if len(params) == 0 && verb == "add" && rb.session.certfp != "" {
--- a/irc/numerics.go
+++ b/irc/numerics.go
@ -192,6 +192,9 @@ const (
 	ERR_SASLABORTED               = "906"
 	ERR_SASLALREADY               = "907"
 	RPL_SASLMECHS                 = "908"
 	RPL_REG_SUCCESS               = "920"
 	RPL_VERIFY_SUCCESS            = "923"
 	RPL_REG_VERIFICATION_REQUIRED = "927"
 	ERR_TOOMANYLANGUAGES          = "981"
 	ERR_NOLANGUAGE                = "982"
 )
--- a/irc/oauth2/oauth2.go
+++ b/irc/oauth2/oauth2.go
@ -1,108 +0,0 @@
 // Copyright 2022-2023 Simon Ser <contact@emersion.fr>
 // Derived from https://git.sr.ht/~emersion/soju/tree/36d6cb19a4f90d217d55afb0b15318321baaad09/item/auth/oauth2.go
 // Originally released under the AGPLv3, relicensed to the Ergo project under the MIT license
 // Modifications copyright 2024 Shivaram Lingamneni <slingamn@cs.stanford.edu>
 // Released under the MIT license
 package oauth2
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
 	"time"
 )
 var (
 	ErrAuthDisabled = fmt.Errorf("OAuth 2.0 authentication is disabled")
 	// all cases where the infrastructure is working correctly, but we determined
 	// that the user supplied an invalid token
 	ErrInvalidToken = fmt.Errorf("OAuth 2.0 bearer token invalid")
 )
 type OAuth2BearerConfig struct {
 	Enabled              bool          `yaml:"enabled"`
 	Autocreate           bool          `yaml:"autocreate"`
 	AuthScript           bool          `yaml:"auth-script"`
 	IntrospectionURL     string        `yaml:"introspection-url"`
 	IntrospectionTimeout time.Duration `yaml:"introspection-timeout"`
 	// omit for `none`, required for `client_secret_basic`
 	ClientID     string `yaml:"client-id"`
 	ClientSecret string `yaml:"client-secret"`
 }
 func (o *OAuth2BearerConfig) Postprocess() error {
 	if !o.Enabled {
 		return nil
 	}
 	if o.IntrospectionTimeout == 0 {
 		return fmt.Errorf("a nonzero oauthbearer introspection timeout is required (try 10s)")
 	}
 	if _, err := url.Parse(o.IntrospectionURL); err != nil {
 		return fmt.Errorf("invalid introspection-url: %w", err)
 	}
 	return nil
 }
 func (o *OAuth2BearerConfig) Introspect(ctx context.Context, token string) (username string, err error) {
 	if !o.Enabled {
 		return "", ErrAuthDisabled
 	}
 	ctx, cancel := context.WithTimeout(ctx, o.IntrospectionTimeout)
 	defer cancel()
 	reqValues := make(url.Values)
 	reqValues.Set("token", token)
 	reqBody := strings.NewReader(reqValues.Encode())
 	req, err := http.NewRequestWithContext(ctx, http.MethodPost, o.IntrospectionURL, reqBody)
 	if err != nil {
 		return "", fmt.Errorf("failed to create OAuth 2.0 introspection request: %w", err)
 	}
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	req.Header.Set("Accept", "application/json")
 	if o.ClientID != "" {
 		req.SetBasicAuth(url.QueryEscape(o.ClientID), url.QueryEscape(o.ClientSecret))
 	}
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return "", fmt.Errorf("failed to send OAuth 2.0 introspection request: %v", err)
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK {
 		return "", fmt.Errorf("OAuth 2.0 introspection error: %v", resp.Status)
 	}
 	var data oauth2Introspection
 	if err := json.NewDecoder(resp.Body).Decode(&data); err != nil {
 		return "", fmt.Errorf("failed to decode OAuth 2.0 introspection response: %v", err)
 	}
 	if !data.Active {
 		return "", ErrInvalidToken
 	}
 	if data.Username == "" {
 		// We really need the username here, otherwise an OAuth 2.0 user can
 		// impersonate any other user.
 		return "", fmt.Errorf("missing username in OAuth 2.0 introspection response")
 	}
 	return data.Username, nil
 }
 type oauth2Introspection struct {
 	Active   bool   `json:"active"`
 	Username string `json:"username"`
 }
--- a/irc/oauth2/sasl.go
+++ b/irc/oauth2/sasl.go
@ -1,172 +0,0 @@
 package oauth2
 /*
 https://github.com/emersion/go-sasl/blob/e73c9f7bad438a9bf3f5b28e661b74d752ecafdd/oauthbearer.go
 Copyright 2019-2022 Simon Ser, Frode Aannevik, Max Mazurov
 Released under the MIT license
 */
 import (
 	"bytes"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"strconv"
 	"strings"
 )
 var (
 	ErrUnexpectedClientResponse = errors.New("unexpected client response")
 )
 // The OAUTHBEARER mechanism name.
 const OAuthBearer = "OAUTHBEARER"
 type OAuthBearerError struct {
 	Status  string `json:"status"`
 	Schemes string `json:"schemes"`
 	Scope   string `json:"scope"`
 }
 type OAuthBearerOptions struct {
 	Username string `json:"username,omitempty"`
 	Token    string `json:"token,omitempty"`
 	Host     string `json:"host,omitempty"`
 	Port     int    `json:"port,omitempty"`
 }
 func (err *OAuthBearerError) Error() string {
 	return fmt.Sprintf("OAUTHBEARER authentication error (%v)", err.Status)
 }
 type OAuthBearerAuthenticator func(opts OAuthBearerOptions) *OAuthBearerError
 type OAuthBearerServer struct {
 	done         bool
 	failErr      error
 	authenticate OAuthBearerAuthenticator
 }
 func (a *OAuthBearerServer) fail(descr string) ([]byte, bool, error) {
 	blob, err := json.Marshal(OAuthBearerError{
 		Status:  "invalid_request",
 		Schemes: "bearer",
 	})
 	if err != nil {
 		panic(err) // wtf
 	}
 	a.failErr = errors.New(descr)
 	return blob, false, nil
 }
 func (a *OAuthBearerServer) Next(response []byte) (challenge []byte, done bool, err error) {
 	// Per RFC, we cannot just send an error, we need to return JSON-structured
 	// value as a challenge and then after getting dummy response from the
 	// client stop the exchange.
 	if a.failErr != nil {
 		// Server libraries (go-smtp, go-imap) will not call Next on
 		// protocol-specific SASL cancel response ('*'). However, GS2 (and
 		// indirectly OAUTHBEARER) defines a protocol-independent way to do so
 		// using 0x01.
 		if len(response) != 1 && response[0] != 0x01 {
 			return nil, true, errors.New("unexpected response")
 		}
 		return nil, true, a.failErr
 	}
 	if a.done {
 		err = ErrUnexpectedClientResponse
 		return
 	}
 	// Generate empty challenge.
 	if response == nil {
 		return []byte{}, false, nil
 	}
 	a.done = true
 	// Cut n,a=username,\x01host=...\x01auth=...
 	// into
 	//   n
 	//   a=username
 	//   \x01host=...\x01auth=...\x01\x01
 	parts := bytes.SplitN(response, []byte{','}, 3)
 	if len(parts) != 3 {
 		return a.fail("Invalid response")
 	}
 	flag := parts[0]
 	authzid := parts[1]
 	if !bytes.Equal(flag, []byte{'n'}) {
 		return a.fail("Invalid response, missing 'n' in gs2-cb-flag")
 	}
 	opts := OAuthBearerOptions{}
 	if len(authzid) > 0 {
 		if !bytes.HasPrefix(authzid, []byte("a=")) {
 			return a.fail("Invalid response, missing 'a=' in gs2-authzid")
 		}
 		opts.Username = string(bytes.TrimPrefix(authzid, []byte("a=")))
 	}
 	// Cut \x01host=...\x01auth=...\x01\x01
 	// into
 	//   *empty*
 	//   host=...
 	//   auth=...
 	//   *empty*
 	//
 	// Note that this code does not do a lot of checks to make sure the input
 	// follows the exact format specified by RFC.
 	params := bytes.Split(parts[2], []byte{0x01})
 	for _, p := range params {
 		// Skip empty fields (one at start and end).
 		if len(p) == 0 {
 			continue
 		}
 		pParts := bytes.SplitN(p, []byte{'='}, 2)
 		if len(pParts) != 2 {
 			return a.fail("Invalid response, missing '='")
 		}
 		switch string(pParts[0]) {
 		case "host":
 			opts.Host = string(pParts[1])
 		case "port":
 			port, err := strconv.ParseUint(string(pParts[1]), 10, 16)
 			if err != nil {
 				return a.fail("Invalid response, malformed 'port' value")
 			}
 			opts.Port = int(port)
 		case "auth":
 			const prefix = "bearer "
 			strValue := string(pParts[1])
 			// Token type is case-insensitive.
 			if !strings.HasPrefix(strings.ToLower(strValue), prefix) {
 				return a.fail("Unsupported token type")
 			}
 			opts.Token = strValue[len(prefix):]
 		default:
 			return a.fail("Invalid response, unknown parameter: " + string(pParts[0]))
 		}
 	}
 	authzErr := a.authenticate(opts)
 	if authzErr != nil {
 		blob, err := json.Marshal(authzErr)
 		if err != nil {
 			panic(err) // wtf
 		}
 		a.failErr = authzErr
 		return blob, false, nil
 	}
 	return nil, true, nil
 }
 func NewOAuthBearerServer(auth OAuthBearerAuthenticator) *OAuthBearerServer {
 	return &OAuthBearerServer{
 		authenticate: auth,
 	}
 }
--- a/irc/passwd/bcrypt_test.go
+++ b/irc/passwd/bcrypt_test.go
@ -22,16 +22,6 @@ func TestBasic(t *testing.T) {
 	}
 }
 func TestVector(t *testing.T) {
 	// sanity check for persisted hashes
 	if CompareHashAndPassword(
 		[]byte("$2a$12$sJokyLJ5px3Nb51DEDhsQ.wh8nfwEYuMbVYrpqO5v9Ylyj0YyVWj."),
 		[]byte("this is my passphrase"),
 	) != nil {
 		t.Errorf("hash comparison failed unexpectedly")
 	}
 }
 func TestLongPassphrases(t *testing.T) {
 	longPassphrase := make([]byte, 168)
 	for i := range longPassphrase {
--- a/irc/responsebuffer.go
+++ b/irc/responsebuffer.go
@ -4,10 +4,7 @@
 package irc
 import (
 	"github.com/ergochat/ergo/irc/history"
 	"runtime/debug"
 	"strconv"
 	"strings"
 	"time"
 	"github.com/ergochat/ergo/irc/caps"
@ -124,12 +121,8 @@ func (rb *ResponseBuffer) AddFromClient(time time.Time, msgid string, fromNickMa
 	rb.AddMessage(msg)
 }
 func (rb *ResponseBuffer) AddSplitMessageFromClient(fromNickMask string, fromAccount string, isBot bool, tags map[string]string, command string, target string, message utils.SplitMessage) {
 	rb.AddSplitMessageFromClientWithReactions(fromNickMask, fromAccount, isBot, tags, command, target, message, nil)
 }
 // AddSplitMessageFromClient adds a new split message from a specific client to our queue.
-func (rb *ResponseBuffer) AddSplitMessageFromClientWithReactions(fromNickMask string, fromAccount string, isBot bool, tags map[string]string, command string, target string, message utils.SplitMessage, reactions []history.Reaction) {
+func (rb *ResponseBuffer) AddSplitMessageFromClient(fromNickMask string, fromAccount string, isBot bool, tags map[string]string, command string, target string, message utils.SplitMessage) {
 	if message.Is512() {
 		if message.Message == "" {
 			// XXX this is a TAGMSG
@ -149,23 +142,8 @@ func (rb *ResponseBuffer) AddSplitMessageFromClientWithReactions(fromNickMask st
 				if i == 0 {
 					msgid = message.Msgid
 				}
-				mergedTags := make(map[string]string)
+				rb.AddFromClient(message.Time, msgid, fromNickMask, fromAccount, isBot, tags, command, target, messagePair.Message)
 				for k, v := range tags {
 					mergedTags[k] = v
 			}
 				for k, v := range messagePair.Tags {
 					mergedTags[k] = v
 				}
 				rb.AddFromClient(message.Time, msgid, fromNickMask, fromAccount, isBot, mergedTags, command, target, messagePair.Message)
 			}
 		}
 	}
 	if reactions != nil && len(reactions) >= 1 {
 		var text string
 		for _, react := range reactions {
 			text = strings.Join([]string{message.Msgid, react.Name, strconv.Itoa(react.Total)}, " ")
 			text += " " + strings.Join(react.SampleUsers, " ")
 			rb.Add(nil, rb.target.server.name, "REACTIONS", text)
 		}
 	}
 }
@ -215,9 +193,6 @@ func (rb *ResponseBuffer) sendBatchEnd(blocking bool) {
 // Starts a nested batch (see the ResponseBuffer struct definition for a description of
 // how this works)
 func (rb *ResponseBuffer) StartNestedBatch(batchType string, params ...string) (batchID string) {
 	if !rb.session.capabilities.Has(caps.Batch) {
 		return
 	}
 	batchID = rb.session.generateBatchID()
 	msgParams := make([]string, len(params)+2)
 	msgParams[0] = "+" + batchID
@ -244,6 +219,19 @@ func (rb *ResponseBuffer) EndNestedBatch(batchID string) {
 	rb.AddMessage(ircmsg.MakeMessage(nil, rb.target.server.name, "BATCH", "-"+batchID))
 }
 // Convenience to start a nested batch for history lines, at the highest level
 // supported by the client (`history`, `chathistory`, or no batch, in descending order).
 func (rb *ResponseBuffer) StartNestedHistoryBatch(params ...string) (batchID string) {
 	var batchType string
 	if rb.session.capabilities.Has(caps.Batch) {
 		batchType = "chathistory"
 	}
 	if batchType != "" {
 		batchID = rb.StartNestedBatch(batchType, params...)
 	}
 	return
 }
 // Send sends all messages in the buffer to the client.
 // Afterwards, the buffer is in an undefined state and MUST NOT be used further.
 // If `blocking` is true you MUST be sending to the client from its own goroutine.
--- a/irc/roleplay.go
+++ b/irc/roleplay.go
@ -110,9 +110,6 @@ func sendRoleplayMessage(server *Server, client *Client, source string, targetSt
 			Type:    history.Privmsg,
 			Message: splitMessage,
 			Nick:    sourceMask,
 			Target:  target,
 			// TODO: does this work?
 			Account: "$RP",
 		}, client.Account())
 	} else {
 		target, err := CasefoldName(targetString)
--- a/irc/script.go
+++ b/irc/script.go
@ -5,11 +5,8 @@ package irc
 import (
 	"bufio"
 	"bytes"
 	"io"
 	"net/http"
 	"os/exec"
 	"strings"
 	"syscall"
 	"time"
 )
@ -24,27 +21,7 @@ type scriptResponse struct {
 	err    error
 }
 func RunHttp(command string, args []string, input []byte, timeout time.Duration) (output []byte, err error) {
 	client := http.Client{
 		Timeout: timeout,
 	}
 	post, err := client.Post(command, "application/json", bytes.NewBuffer(input))
 	if err != nil {
 		return nil, err
 	}
 	defer post.Body.Close()
 	output, err = io.ReadAll(post.Body)
 	if err != nil {
 		return nil, err
 	}
 	return
 }
 func RunScript(command string, args []string, input []byte, timeout, killTimeout time.Duration) (output []byte, err error) {
 	if strings.HasPrefix(command, "http") {
 		return RunHttp(command, args, input, timeout)
 	}
 	cmd := exec.Command(command, args...)
 	stdin, err := cmd.StdinPipe()
 	if err != nil {
--- a/irc/server.go
+++ b/irc/server.go
@ -36,8 +36,6 @@ import (
 	"github.com/ergochat/ergo/irc/mysql"
 	"github.com/ergochat/ergo/irc/sno"
 	"github.com/ergochat/ergo/irc/utils"
 	"github.com/redis/go-redis/v9"
 )
 const (
@ -98,9 +96,6 @@ type Server struct {
 	semaphores        ServerSemaphores
 	flock             flock.Flocker
 	defcon            atomic.Uint32
 	// CEF
 	redis *redis.Client
 }
 // NewServer returns a new Oragono server.
@ -168,13 +163,6 @@ func (server *Server) Shutdown() {
 func (server *Server) Run() {
 	defer server.Shutdown()
 	redisOpts, err := redis.ParseURL(server.Config().Cef.Redis)
 	if err != nil {
 		panic(err)
 	}
 	server.redis = redis.NewClient(redisOpts)
 	startRedis(server)
 	for {
 		select {
 		case <-server.exitSignals:
@ -326,7 +314,9 @@ func (server *Server) checkBanScriptExemptSASL(config *Config, session *Session)
 func (server *Server) tryRegister(c *Client, session *Session) (exiting bool) {
 	// XXX PROXY or WEBIRC MUST be sent as the first line of the session;
 	// if we are here at all that means we have the final value of the IP
-	c.finalizeHostname(session)
+	if session.rawHostname == "" {
 		session.client.lookupHostname(session, false)
 	}
 	// try to complete registration normally
 	// XXX(#1057) username can be filled in by an ident query without the client
@ -369,7 +359,10 @@ func (server *Server) tryRegister(c *Client, session *Session) (exiting bool) {
 	rb := NewResponseBuffer(session)
 	nickError := performNickChange(server, c, c, session, c.preregNick, rb)
 	rb.Send(true)
-	if nickError != nil {
+	if nickError == errInsecureReattach {
 		c.Quit(c.t("You can't mix secure and insecure connections to this account"), nil)
 		return true
 	} else if nickError != nil {
 		c.preregNick = ""
 		return false
 	}
@ -404,12 +397,6 @@ func (server *Server) tryRegister(c *Client, session *Session) (exiting bool) {
 	}
 	server.playRegistrationBurst(session)
 	if len(config.Channels.AutoJoin) > 0 {
 		// only applicable to new clients, not reattaches:
 		server.handleAutojoins(session, config.Channels.AutoJoin)
 	}
 	return false
 }
@ -446,9 +433,7 @@ func (server *Server) playRegistrationBurst(session *Session) {
 	session.Send(nil, server.name, RPL_MYINFO, d.nick, server.name, Ver, rplMyInfo1, rplMyInfo2, rplMyInfo3)
 	rb := NewResponseBuffer(session)
 	if !(rb.session.capabilities.Has(caps.ExtendedISupport) && rb.session.isupportSentPrereg) {
 	server.RplISupport(c, rb)
 	}
 	if d.account != "" && session.capabilities.Has(caps.Persistence) {
 		reportPersistenceStatus(c, rb, false)
 	}
@ -470,17 +455,10 @@ func (server *Server) playRegistrationBurst(session *Session) {
 // RplISupport outputs our ISUPPORT lines to the client. This is used on connection and in VERSION responses.
 func (server *Server) RplISupport(client *Client, rb *ResponseBuffer) {
 	server.sendRplISupportLines(client, rb, server.Config().Server.isupport.CachedReply)
 }
 func (server *Server) sendRplISupportLines(client *Client, rb *ResponseBuffer, lines [][]string) {
 	if rb.session.capabilities.Has(caps.ExtendedISupport) {
 		batchID := rb.StartNestedBatch(caps.ExtendedISupportBatchType)
 		defer rb.EndNestedBatch(batchID)
 	}
 	translatedISupport := client.t("are supported by this server")
 	nick := client.Nick()
-	for _, cachedTokenLine := range lines {
+	config := server.Config()
 	for _, cachedTokenLine := range config.Server.isupport.CachedReply {
 		length := len(cachedTokenLine) + 2
 		tokenline := make([]string, length)
 		tokenline[0] = nick
@ -527,14 +505,6 @@ func (server *Server) MOTD(client *Client, rb *ResponseBuffer) {
 	rb.Add(nil, server.name, RPL_ENDOFMOTD, client.nick, client.t("End of MOTD command"))
 }
 func (server *Server) handleAutojoins(session *Session, channelNames []string) {
 	rb := NewResponseBuffer(session)
 	for _, chname := range channelNames {
 		server.channels.Join(session.client, chname, "", false, rb)
 	}
 	rb.Send(true)
 }
 func (client *Client) whoisChannelsNames(target *Client, multiPrefix bool, hasPrivs bool) []string {
 	var chstrs []string
 	targetInvis := target.HasMode(modes.Invisible)
@ -721,6 +691,9 @@ func (server *Server) applyConfig(config *Config) (err error) {
 		if !oldConfig.Accounts.NickReservation.Enabled {
 			server.accounts.buildNickToAccountIndex(config)
 		}
 		if !oldConfig.Channels.Registration.Enabled {
 			server.channels.loadRegisteredChannels(config)
 		}
 		// resize history buffers as needed
 		if config.historyChangedFrom(oldConfig) {
 			for _, channel := range server.channels.Channels() {
@ -815,19 +788,13 @@ func (server *Server) applyConfig(config *Config) (err error) {
 	}
 	if !initial {
-		// send 005 updates (somewhat rare)
+		// push new info to all of our clients
 		if len(newISupportReplies) != 0 {
 		for _, sClient := range server.clients.AllClients() {
-				for _, session := range sClient.Sessions() {
+			for _, tokenline := range newISupportReplies {
-					rb := NewResponseBuffer(session)
+				sClient.Send(nil, server.name, RPL_ISUPPORT, append([]string{sClient.nick}, tokenline...)...)
 					server.sendRplISupportLines(sClient, rb, newISupportReplies)
 					rb.Send(false)
 				}
 			}
 			}
 			if sendRawOutputNotice {
 			for _, sClient := range server.clients.AllClients() {
 				sClient.Notice(sClient.t("This server is in debug mode and is logging all user I/O. If you do not wish for everything you send to be readable by the server owner(s), please disconnect."))
 			}
 		}
@ -1079,7 +1046,7 @@ func (server *Server) ForgetHistory(accountName string) {
 		return
 	}
-	predicate := func(item *history.Item) bool { return item.Account == accountName }
+	predicate := func(item *history.Item) bool { return item.AccountName == accountName }
 	for _, channel := range server.channels.Channels() {
 		channel.history.Delete(predicate)
@ -1093,7 +1060,7 @@ func (server *Server) ForgetHistory(accountName string) {
 // deletes a message. target is a hint about what buffer it's in (not required for
 // persistent history, where all the msgids are indexed together). if accountName
 // is anything other than "*", it must match the recorded AccountName of the message
-func (server *Server) DeleteMessage(target, msgid, account string) (err error) {
+func (server *Server) DeleteMessage(target, msgid, accountName string) (err error) {
 	config := server.Config()
 	var hist *history.Buffer
@ -1116,10 +1083,10 @@ func (server *Server) DeleteMessage(target, msgid, account string) (err error) {
 	}
 	if hist == nil {
-		err = server.historyDB.DeleteMsgid(msgid, account)
+		err = server.historyDB.DeleteMsgid(msgid, accountName)
 	} else {
 		count := hist.Delete(func(item *history.Item) bool {
-			return item.Message.Msgid == msgid && (account == "*" || item.Account == account)
+			return item.Message.Msgid == msgid && (accountName == "*" || item.AccountName == accountName)
 		})
 		if count == 0 {
 			err = errNoop
--- a/irc/services.go
+++ b/irc/services.go
@ -107,10 +107,6 @@ func (service *ircService) Notice(rb *ResponseBuffer, text string) {
 	rb.Add(nil, service.prefix, "NOTICE", rb.target.Nick(), text)
 }
 func (service *ircService) TaggedNotice(rb *ResponseBuffer, text string, tags map[string]string) {
 	rb.Add(tags, service.prefix, "NOTICE", rb.target.Nick(), text)
 }
 // all service commands at the protocol level, by uppercase command name
 // e.g., NICKSERV, NS
 var ergoServicesByCommandAlias map[string]*ircService
--- a/irc/smtp/smtp.go
+++ b/irc/smtp/smtp.go
@ -55,18 +55,17 @@ type Client struct {
 // Dial returns a new Client connected to an SMTP server at addr.
 // The addr must include a port, as in "mail.example.com:smtp".
-func Dial(protocol, addr string, localAddress net.Addr, timeout time.Duration, implicitTLS bool) (*Client, error) {
+func Dial(addr string, timeout time.Duration, implicitTLS bool) (*Client, error) {
 	var conn net.Conn
 	var err error
 	dialer := net.Dialer{
 		Timeout: timeout,
 		LocalAddr: localAddress,
 	}
 	start := time.Now()
 	if !implicitTLS {
-		conn, err = dialer.Dial(protocol, addr)
+		conn, err = dialer.Dial("tcp", addr)
 	} else {
-		conn, err = tls.DialWithDialer(&dialer, protocol, addr, nil)
+		conn, err = tls.DialWithDialer(&dialer, "tcp", addr, nil)
 	}
 	if err != nil {
 		return nil, err
@ -342,7 +341,7 @@ var testHookStartTLS func(*tls.Config) // nil, except for tests
 // functionality. Higher-level packages exist outside of the standard
 // library.
 // XXX: modified in Ergo to add `requireTLS`, `heloDomain`, and `timeout` arguments
-func SendMail(addr string, a Auth, heloDomain string, from string, to []string, msg []byte, requireTLS, implicitTLS bool, protocol string, localAddress net.Addr, timeout time.Duration) error {
+func SendMail(addr string, a Auth, heloDomain string, from string, to []string, msg []byte, requireTLS, implicitTLS bool, timeout time.Duration) error {
 	if err := validateLine(from); err != nil {
 		return err
 	}
@ -351,7 +350,7 @@ func SendMail(addr string, a Auth, heloDomain string, from string, to []string,
 			return err
 		}
 	}
-	c, err := Dial(protocol, addr, localAddress, timeout, implicitTLS)
+	c, err := Dial(addr, timeout, implicitTLS)
 	if err != nil {
 		return err
 	}
--- a/irc/strings.go
+++ b/irc/strings.go
@ -60,10 +60,6 @@ const (
 	// confusables detection: standard skeleton algorithm (which may be ineffective
 	// over the larger set of permitted identifiers)
 	CasemappingPermissive
 	// rfc1459 is a legacy mapping as defined here: https://modern.ircdocs.horse/#casemapping-parameter
 	CasemappingRFC1459
 	// rfc1459-strict is a legacy mapping as defined here: https://modern.ircdocs.horse/#casemapping-parameter
 	CasemappingRFC1459Strict
 )
 // XXX this is a global variable without explicit synchronization.
@ -114,10 +110,6 @@ func casefoldWithSetting(str string, setting Casemapping) (string, error) {
 		return foldASCII(str)
 	case CasemappingPermissive:
 		return foldPermissive(str)
 	case CasemappingRFC1459:
 		return foldRFC1459(str, false)
 	case CasemappingRFC1459Strict:
 		return foldRFC1459(str, true)
 	}
 }
@ -222,7 +214,7 @@ func Skeleton(name string) (string, error) {
 	switch globalCasemappingSetting {
 	default:
 		return realSkeleton(name)
-	case CasemappingASCII, CasemappingRFC1459, CasemappingRFC1459Strict:
+	case CasemappingASCII:
 		// identity function is fine because we independently case-normalize in Casefold
 		return name, nil
 	}
@ -310,23 +302,6 @@ func foldASCII(str string) (result string, err error) {
 	return strings.ToLower(str), nil
 }
 var (
 	rfc1459Replacer       = strings.NewReplacer("[", "{", "]", "}", "\\", "|", "~", "^")
 	rfc1459StrictReplacer = strings.NewReplacer("[", "{", "]", "}", "\\", "|")
 )
 func foldRFC1459(str string, strict bool) (result string, err error) {
 	asciiFold, err := foldASCII(str)
 	if err != nil {
 		return "", err
 	}
 	replacer := rfc1459Replacer
 	if strict {
 		replacer = rfc1459StrictReplacer
 	}
 	return replacer.Replace(asciiFold), nil
 }
 func IsPrintableASCII(str string) bool {
 	for i := 0; i < len(str); i++ {
 		// allow space here because it's technically printable;
--- a/irc/strings_test.go
+++ b/irc/strings_test.go
@ -279,31 +279,3 @@ func TestFoldASCIIInvalid(t *testing.T) {
 		t.Errorf("control characters should be invalid in identifiers")
 	}
 }
 func TestFoldRFC1459(t *testing.T) {
 	folder := func(str string) (string, error) {
 		return foldRFC1459(str, false)
 	}
 	tester := func(first, second string, equal bool) {
 		validFoldTester(first, second, equal, folder, t)
 	}
 	tester("shivaram", "SHIVARAM", true)
 	tester("shivaram[a]", "shivaram{a}", true)
 	tester("shivaram\\a]", "shivaram{a}", false)
 	tester("shivaram\\a]", "shivaram|a}", true)
 	tester("shivaram~a]", "shivaram^a}", true)
 }
 func TestFoldRFC1459Strict(t *testing.T) {
 	folder := func(str string) (string, error) {
 		return foldRFC1459(str, true)
 	}
 	tester := func(first, second string, equal bool) {
 		validFoldTester(first, second, equal, folder, t)
 	}
 	tester("shivaram", "SHIVARAM", true)
 	tester("shivaram[a]", "shivaram{a}", true)
 	tester("shivaram\\a]", "shivaram{a}", false)
 	tester("shivaram\\a]", "shivaram|a}", true)
 	tester("shivaram~a]", "shivaram^a}", false)
 }
--- a/irc/utils/crypto.go
+++ b/irc/utils/crypto.go
@ -14,7 +14,6 @@ import (
 	"encoding/hex"
 	"errors"
 	"net"
 	"strconv"
 	"strings"
 	"time"
 )
@ -32,26 +31,8 @@ var (
 const (
 	SecretTokenLength = 26
 	MachineId         = 1 // Since there's no scaling Ergo, id is fixed at 1. Other things can have 2-127
 )
 var inc uint64 = 0
 // slingamn, if you ever see this, i'm sorry - I just didn't want to attach what i think is redundant data to every
 // message.
 func GenerateMessageId() uint64 {
 	inc++
 	var ts = time.Now().Unix() & 0xffffffffffff
 	var flake = uint64(ts << 16)
 	flake |= MachineId << 10
 	flake |= inc % 0x3ff
 	return flake
 }
 func GenerateMessageIdStr() string {
 	return strconv.FormatUint(GenerateMessageId(), 10)
 }
 // generate a secret token that cannot be brute-forced via online attacks
 func GenerateSecretToken() string {
 	// 128 bits of entropy are enough to resist any online attack:
--- a/irc/utils/text.go
+++ b/irc/utils/text.go
@ -16,7 +16,6 @@ func IsRestrictedCTCPMessage(message string) bool {
 type MessagePair struct {
 	Message string
 	Tags    map[string]string
 	Concat  bool // should be relayed with the multiline-concat tag
 }
@ -38,20 +37,19 @@ type SplitMessage struct {
 func MakeMessage(original string) (result SplitMessage) {
 	result.Message = original
-	result.Msgid = GenerateMessageIdStr()
+	result.Msgid = GenerateSecretToken()
 	result.SetTime()
 	return
 }
-func (sm *SplitMessage) Append(message string, concat bool, tags map[string]string) {
+func (sm *SplitMessage) Append(message string, concat bool) {
 	if sm.Msgid == "" {
-		sm.Msgid = GenerateMessageIdStr()
+		sm.Msgid = GenerateSecretToken()
 	}
 	sm.Split = append(sm.Split, MessagePair{
 		Message: message,
 		Concat:  concat,
 		Tags:    tags,
 	})
 }
--- a/irc/utils/types.go
+++ b/irc/utils/types.go
@ -20,10 +20,26 @@ func (s HashSet[T]) Remove(elem T) {
 	delete(s, elem)
 }
-func SetLiteral[T comparable](elems ...T) HashSet[T] {
+func CopyMap[K comparable, V any](input map[K]V) (result map[K]V) {
-	result := make(HashSet[T], len(elems))
+	result = make(map[K]V, len(input))
-	for _, elem := range elems {
+	for key, value := range input {
-		result.Add(elem)
+		result[key] = value
 	}
-	return result
+	return
 }
 // reverse the order of a slice in place
 func ReverseSlice[T any](results []T) {
 	for i, j := 0, len(results)-1; i < j; i, j = i+1, j-1 {
 		results[i], results[j] = results[j], results[i]
 	}
 }
 func SliceContains[T comparable](slice []T, elem T) (result bool) {
 	for _, t := range slice {
 		if elem == t {
 			return true
 		}
 	}
 	return false
 }
--- a/irc/version.go
+++ b/irc/version.go
@ -7,7 +7,7 @@ import "fmt"
 const (
 	// SemVer is the semantic version of Ergo.
-	SemVer = "2.15.0-unreleased"
+	SemVer = "2.12.0-unreleased"
 )
 var (
--- a/irc/znc.go
+++ b/irc/znc.go
@ -203,7 +203,7 @@ func zncPlayPrivmsgsFrom(client *Client, rb *ResponseBuffer, target string, star
 	zncMax := client.server.Config().History.ZNCMax
 	items, err := sequence.Between(history.Selector{Time: start}, history.Selector{Time: end}, zncMax)
 	if err == nil && len(items) != 0 {
-		client.replayPrivmsgHistory(rb, items, target, false, "", "", 0)
+		client.replayPrivmsgHistory(rb, items, target, false)
 	}
 }
@ -211,7 +211,7 @@ func zncPlayPrivmsgsFromAll(client *Client, rb *ResponseBuffer, start, end time.
 	zncMax := client.server.Config().History.ZNCMax
 	items, err := client.privmsgsBetween(start, end, maxDMTargetsForAutoplay, zncMax)
 	if err == nil && len(items) != 0 {
-		client.replayPrivmsgHistory(rb, items, "", false, "", "", 0)
+		client.replayPrivmsgHistory(rb, items, "", false)
 	}
 }
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit a1324407893b603fe6b55ce7c4ee385938291ae1
+Subproject commit 6815dd238b8afd8ad73712d50d3e93cf997c26db
--- a/traditional.yaml
+++ b/traditional.yaml
@ -108,10 +108,9 @@ server:
    # the recommended default is 'ascii' (traditional ASCII-only identifiers).
    # the other options are 'precis', which allows UTF8 identifiers that are "sane"
    # (according to UFC 8265), with additional mitigations for homoglyph attacks,
-    # 'permissive', which allows identifiers containing unusual characters like
+    # and 'permissive', which allows identifiers containing unusual characters like
    # emoji, at the cost of increased vulnerability to homoglyph attacks and potential
-    # client compatibility problems, and the legacy mappings 'rfc1459' and
+    # client compatibility problems. we recommend leaving this value at its default;
    # 'rfc1459-strict'. we recommend leaving this value at its default;
    # however, note that changing it once the network is already up and running is
    # problematic.
    casemapping: "ascii"
@ -193,9 +192,6 @@ server:
                # - "192.168.1.1"
                # - "192.168.10.1/24"
            # whether to accept the hostname parameter on the WEBIRC line as the IRC hostname
            accept-hostname: true
    # maximum length of clients' sendQ in bytes
    # this should be big enough to hold bursts of channel/direct messages
    max-sendq: 96k
@ -341,7 +337,7 @@ server:
    # in a "closed-loop" system where you control the server and all the clients,
    # you may want to increase the maximum (non-tag) length of an IRC line from
    # the default value of 512. DO NOT change this on a public server:
-    #max-line-len: 512
+    # max-line-len: 512
    # send all 0's as the LUSERS (user counts) output to non-operators; potentially useful
    # if you don't want to publicize how popular the server is
@ -382,10 +378,6 @@ accounts:
            sender: "admin@my.network"
            require-tls: true
            helo-domain: "my.network" # defaults to server name if unset
            # set to `tcp4` to force sending over IPv4, `tcp6` to force IPv6:
            # protocol: "tcp4"
            # set to force a specific source/local IPv4 or IPv6 address:
            # local-address: "1.2.3.4"
            # options to enable DKIM signing of outgoing emails (recommended, but
            # requires creating a DNS entry for the public key):
            # dkim:
@ -399,14 +391,8 @@ accounts:
            #     username: "admin"
            #     password: "hunter2"
            #     implicit-tls: false # TLS from the first byte, typically on port 465
-            # addresses that are not accepted for registration:
+            blacklist-regexes:
-            address-blacklist:
+            #    - ".*@mailinator.com"
            #    - "*@mailinator.com"
            address-blacklist-syntax: "glob" # change to "regex" for regular expressions
            # file of newline-delimited address blacklist entries (no enclosing quotes)
            # in the above syntax (i.e. either globs or regexes). supersedes
            # address-blacklist if set:
            # address-blacklist-file: "/path/to/address-blacklist-file"
            timeout: 60s
            # email-based password reset:
            password-reset:
@ -567,40 +553,6 @@ accounts:
        # how many scripts are allowed to run at once? 0 for no limit:
        max-concurrency: 64
    # support for login via OAuth2 bearer tokens
    oauth2:
        enabled: false
        # should we automatically create users on presentation of a valid token?
        autocreate: true
        # enable this to use auth-script for validation:
        auth-script: false
        introspection-url: "https://example.com/api/oidc/introspection"
        introspection-timeout: 10s
        # omit for auth method `none`; required for auth method `client_secret_basic`:
        client-id: "ergo"
        client-secret: "4TA0I7mJ3fUUcW05KJiODg"
    # support for login via JWT bearer tokens
    jwt-auth:
        enabled: false
        # should we automatically create users on presentation of a valid token?
        autocreate: true
        # any of these token definitions can be accepted, allowing for key rotation
        tokens:
            -
                algorithm: "hmac" # either 'hmac', 'rsa', or 'eddsa' (ed25519)
                # hmac takes a symmetric key, rsa and eddsa take PEM-encoded public keys;
                # either way, the key can be specified either as a YAML string:
                key: "nANiZ1De4v6WnltCHN2H7Q"
                # or as a path to the file containing the key:
                #key-file: "jwt_pubkey.pem"
                # list of JWT claim names to search for the user's account name (make sure the format
                # is what you expect, especially if using "sub"):
                account-claims: ["preferred_username"]
                # if a claim is formatted as an email address, require it to have the following domain,
                # and then strip off the domain and use the local-part as the account name:
                #strip-domain: "example.com"
 # channel options
 channels:
    # modes that are set when new channels are created
@ -635,12 +587,6 @@ channels:
    # (0 or omit for no expiration):
    invite-expiration: 24h
    # channels that new clients will automatically join. this should be used with
    # caution, since traditional IRC users will likely view it as an antifeature.
    # it may be useful in small community networks that have a single "primary" channel:
    #auto-join:
    #    - "#lounge"
 # operator classes:
 # an operator has a single "class" (defining a privilege level), which can include
 # multiple "capabilities" (defining privileged actions they can take). all
@ -791,7 +737,7 @@ lock-file: "ircd.lock"
 # datastore configuration
 datastore:
-    # path to the database file (used to store account and channel registrations):
+    # path to the datastore
    path: ircd.db
    # if the database schema requires an upgrade, `autoupgrade` will attempt to
@ -834,9 +780,6 @@ limits:
    # identlen is the max ident length allowed
    identlen: 20
    # realnamelen is the maximum realname length allowed
    realnamelen: 150
    # channellen is the max channel length allowed
    channellen: 64
@ -856,7 +799,7 @@ limits:
    whowas-entries: 100
    # maximum length of channel lists (beI modes)
-    chan-list-modes: 100
+    chan-list-modes: 60
    # maximum number of messages to accept during registration (prevents
    # DoS / resource exhaustion attacks):
@ -1011,8 +954,7 @@ history:
    # options to control how messages are stored and deleted:
    retention:
-        # allow users to delete their own messages from history,
+        # allow users to delete their own messages from history?
        # and channel operators to delete messages in their channel?
        allow-individual-delete: false
        # if persistent history is enabled, create additional index tables,
--- a/vendor/github.com/ergochat/go-ident/client.go
+++ b/vendor/github.com/ergochat/go-ident/client.go
@ -38,12 +38,6 @@ func (e ProtocolError) Error() string {
 // Query makes an Ident query, if timeout is >0 the query is timed out after that many seconds.
 func Query(ip string, portOnServer, portOnClient int, timeout time.Duration) (response Response, err error) {
 	// if a timeout is set, respect it from the beginning of the query, including the dial time
 	var deadline time.Time
 	if timeout > 0 {
 		deadline = time.Now().Add(timeout)
 	}
 	var conn net.Conn
 	if timeout > 0 {
 		conn, err = net.DialTimeout("tcp", net.JoinHostPort(ip, "113"), timeout)
@ -53,12 +47,13 @@ func Query(ip string, portOnServer, portOnClient int, timeout time.Duration) (re
 	if err != nil {
 		return
 	}
 	defer conn.Close()
-	// if timeout is 0, `deadline` is the empty time.Time{} which means no deadline:
+	// stop the ident read after <timeout> seconds
-	conn.SetDeadline(deadline)
+	if timeout > 0 {
 		conn.SetDeadline(time.Now().Add(timeout))
 	}
-	_, err = conn.Write([]byte(fmt.Sprintf("%d, %d\r\n", portOnClient, portOnServer)))
+	_, err = conn.Write([]byte(fmt.Sprintf("%d, %d", portOnClient, portOnServer) + "\r\n"))
 	if err != nil {
 		return
 	}
--- a/vendor/github.com/ergochat/irc-go/ircfmt/ircfmt.go
+++ b/vendor/github.com/ergochat/irc-go/ircfmt/ircfmt.go
@ -5,7 +5,6 @@ package ircfmt
 import (
 	"regexp"
 	"strconv"
 	"strings"
 )
@ -20,126 +19,24 @@ const (
 	underline     string = "\x1f"
 	reset         string = "\x0f"
-	metacharacters = (bold + colour + monospace + reverseColour + italic + strikethrough + underline + reset)
+	runecolour        rune = '\x03'
 	runebold          rune = '\x02'
 	runemonospace     rune = '\x11'
 	runereverseColour rune = '\x16'
 	runeitalic        rune = '\x1d'
 	runestrikethrough rune = '\x1e'
 	runereset         rune = '\x0f'
 	runeunderline     rune = '\x1f'
 	// valid characters in a colour code character, for speed
 	colours1 string = "0123456789"
 )
 // ColorCode is a normalized representation of an IRC color code,
 // as per this de facto specification: https://modern.ircdocs.horse/formatting.html#color
 // The zero value of the type represents a default or unset color,
 // whereas ColorCode{true, 0} represents the color white.
 type ColorCode struct {
 	IsSet bool
 	Value uint8
 }
 // ParseColor converts a string representation of an IRC color code, e.g. "04",
 // into a normalized ColorCode, e.g. ColorCode{true, 4}.
 func ParseColor(str string) (color ColorCode) {
 	// "99 - Default Foreground/Background - Not universally supported."
 	// normalize 99 to ColorCode{} meaning "unset":
 	if code, err := strconv.ParseUint(str, 10, 8); err == nil && code < 99 {
 		color.IsSet = true
 		color.Value = uint8(code)
 	}
 	return
 }
 // FormattedSubstring represents a section of an IRC message with associated
 // formatting data.
 type FormattedSubstring struct {
 	Content         string
 	ForegroundColor ColorCode
 	BackgroundColor ColorCode
 	Bold            bool
 	Monospace       bool
 	Strikethrough   bool
 	Underline       bool
 	Italic          bool
 	ReverseColor    bool
 }
 // IsFormatted returns whether the section has any formatting flags switched on.
 func (f *FormattedSubstring) IsFormatted() bool {
 	// could rely on value receiver but if this is to be a public API,
 	// let's make it a pointer receiver
 	g := *f
 	g.Content = ""
 	return g != FormattedSubstring{}
 }
 var (
 	// "If there are two ASCII digits available where a <COLOR> is allowed,
 	// then two characters MUST always be read for it and displayed as described below."
 	// we rely on greedy matching to implement this for both forms:
 	// (\x03)00,01
 	colorForeBackRe = regexp.MustCompile(`^([0-9]{1,2}),([0-9]{1,2})`)
 	// (\x03)00
 	colorForeRe = regexp.MustCompile(`^([0-9]{1,2})`)
 )
 // Split takes an IRC message (typically a PRIVMSG or NOTICE final parameter)
 // containing IRC formatting control codes, and splits it into substrings with
 // associated formatting information.
 func Split(raw string) (result []FormattedSubstring) {
 	var chunk FormattedSubstring
 	for {
 		// skip to the next metacharacter, or the end of the string
 		if idx := strings.IndexAny(raw, metacharacters); idx != 0 {
 			if idx == -1 {
 				idx = len(raw)
 			}
 			chunk.Content = raw[:idx]
 			if len(chunk.Content) != 0 {
 				result = append(result, chunk)
 			}
 			raw = raw[idx:]
 		}
 		if len(raw) == 0 {
 			return
 		}
 		// we're at a metacharacter. by default, all previous formatting carries over
 		metacharacter := raw[0]
 		raw = raw[1:]
 		switch metacharacter {
 		case bold[0]:
 			chunk.Bold = !chunk.Bold
 		case monospace[0]:
 			chunk.Monospace = !chunk.Monospace
 		case strikethrough[0]:
 			chunk.Strikethrough = !chunk.Strikethrough
 		case underline[0]:
 			chunk.Underline = !chunk.Underline
 		case italic[0]:
 			chunk.Italic = !chunk.Italic
 		case reverseColour[0]:
 			chunk.ReverseColor = !chunk.ReverseColor
 		case reset[0]:
 			chunk = FormattedSubstring{}
 		case colour[0]:
 			// preferentially match the "\x0399,01" form, then "\x0399";
 			// if neither of those matches, then it's a reset
 			if matches := colorForeBackRe.FindStringSubmatch(raw); len(matches) != 0 {
 				chunk.ForegroundColor = ParseColor(matches[1])
 				chunk.BackgroundColor = ParseColor(matches[2])
 				raw = raw[len(matches[0]):]
 			} else if matches := colorForeRe.FindStringSubmatch(raw); len(matches) != 0 {
 				chunk.ForegroundColor = ParseColor(matches[1])
 				raw = raw[len(matches[0]):]
 			} else {
 				chunk.ForegroundColor = ColorCode{}
 				chunk.BackgroundColor = ColorCode{}
 			}
 		default:
 			// should be impossible, but just ignore it
 		}
 	}
 }
 var (
 	// valtoescape replaces most of IRC characters with our escapes.
 	valtoescape = strings.NewReplacer("$", "$$", colour, "$c", reverseColour, "$v", bold, "$b", italic, "$i", strikethrough, "$s", underline, "$u", monospace, "$m", reset, "$r")
 	// valToStrip replaces most of the IRC characters with nothing
 	valToStrip = strings.NewReplacer(colour, "$c", reverseColour, "", bold, "", italic, "", strikethrough, "", underline, "", monospace, "", reset, "")
 	// escapetoval contains most of our escapes and how they map to real IRC characters.
 	// intentionally skips colour, since that's handled elsewhere.
@ -201,9 +98,7 @@ var (
 		"light blue":  "12",
 		"pink":        "13",
 		"grey":        "14",
 		"gray":        "14",
 		"light grey":  "15",
 		"light gray":  "15",
 		"default":     "99",
 	}
@ -228,7 +123,7 @@ func Escape(in string) string {
 			out.WriteString("$c")
 			inRunes = inRunes[2:] // strip colour code chars
-			if len(inRunes) < 1 || !isDigit(inRunes[0]) {
+			if len(inRunes) < 1 || !strings.Contains(colours1, string(inRunes[0])) {
 				out.WriteString("[]")
 				continue
 			}
@ -236,14 +131,14 @@ func Escape(in string) string {
 			var foreBuffer, backBuffer string
 			foreBuffer += string(inRunes[0])
 			inRunes = inRunes[1:]
-			if 0 < len(inRunes) && isDigit(inRunes[0]) {
+			if 0 < len(inRunes) && strings.Contains(colours1, string(inRunes[0])) {
 				foreBuffer += string(inRunes[0])
 				inRunes = inRunes[1:]
 			}
-			if 1 < len(inRunes) && inRunes[0] == ',' && isDigit(inRunes[1]) {
+			if 1 < len(inRunes) && inRunes[0] == ',' && strings.Contains(colours1, string(inRunes[1])) {
 				backBuffer += string(inRunes[1])
 				inRunes = inRunes[2:]
-				if 0 < len(inRunes) && isDigit(inRunes[1]) {
+				if 0 < len(inRunes) && strings.Contains(colours1, string(inRunes[0])) {
 					backBuffer += string(inRunes[0])
 					inRunes = inRunes[1:]
 				}
@ -283,27 +178,52 @@ func Escape(in string) string {
 	return out.String()
 }
 func isDigit(r rune) bool {
 	return '0' <= r && r <= '9' // don't use unicode.IsDigit, it includes non-ASCII numerals
 }
 // Strip takes a raw IRC string and removes it with all formatting codes removed
 // IE, it turns this: "This is a \x02cool\x02, \x034red\x0f message!"
 // into: "This is a cool, red message!"
 func Strip(in string) string {
-	splitChunks := Split(in)
+	out := strings.Builder{}
-	if len(splitChunks) == 0 {
+	runes := []rune(in)
-		return ""
+	if out.Len() < len(runes) { // Reduce allocations where needed
-	} else if len(splitChunks) == 1 {
+		out.Grow(len(in) - out.Len())
-		return splitChunks[0].Content
+	}
 	for len(runes) > 0 {
 		switch runes[0] {
 		case runebold, runemonospace, runereverseColour, runeitalic, runestrikethrough, runeunderline, runereset:
 			runes = runes[1:]
 		case runecolour:
 			runes = removeColour(runes)
 		default:
 			out.WriteRune(runes[0])
 			runes = runes[1:]
 		}
 	}
 	return out.String()
 }
 func removeNumber(runes []rune) []rune {
 	if len(runes) > 0 && runes[0] >= '0' && runes[0] <= '9' {
 		runes = runes[1:]
 	}
 	return runes
 }
 func removeColour(runes []rune) []rune {
 	if runes[0] != runecolour {
 		return runes
 	}
 	runes = runes[1:]
 	runes = removeNumber(runes)
 	runes = removeNumber(runes)
 	if len(runes) > 1 && runes[0] == ',' && runes[1] >= '0' && runes[1] <= '9' {
 		runes = runes[2:]
 	} else {
-		var buf strings.Builder
+		return runes // Nothing else because we dont have a comma
 		buf.Grow(len(in))
 		for _, chunk := range splitChunks {
 			buf.WriteString(chunk.Content)
 		}
 		return buf.String()
 	}
 	runes = removeNumber(runes)
 	return runes
 }
 // resolve "light blue" to "12", "12" to "12", "asdf" to "", etc.
--- a/vendor/github.com/ergochat/irc-go/ircmsg/message.go
+++ b/vendor/github.com/ergochat/irc-go/ircmsg/message.go
@ -196,15 +196,6 @@ func trimInitialSpaces(str string) string {
 	return str[i:]
 }
 func isASCII(str string) bool {
 	for i := 0; i < len(str); i++ {
 		if str[i] > 127 {
 			return false
 		}
 	}
 	return true
 }
 func parseLine(line string, maxTagDataLength int, truncateLen int) (ircmsg Message, err error) {
 	// remove either \n or \r\n from the end of the line:
 	line = strings.TrimSuffix(line, "\n")
@ -247,7 +238,7 @@ func parseLine(line string, maxTagDataLength int, truncateLen int) (ircmsg Messa
 	// truncate if desired
 	if truncateLen != 0 && truncateLen < len(line) {
 		err = ErrorBodyTooLong
-		line = TruncateUTF8Safe(line, truncateLen)
+		line = line[:truncateLen]
 	}
 	// modern: "These message parts, and parameters themselves, are separated
@ -274,16 +265,11 @@ func parseLine(line string, maxTagDataLength int, truncateLen int) (ircmsg Messa
 		commandEnd = len(line)
 		paramStart = len(line)
 	}
-	baseCommand := line[:commandEnd]
+	// normalize command to uppercase:
-	if len(baseCommand) == 0 {
+	ircmsg.Command = strings.ToUpper(line[:commandEnd])
 	if len(ircmsg.Command) == 0 {
 		return ircmsg, ErrorLineIsEmpty
 	}
 	// technically this must be either letters or a 3-digit numeric:
 	if !isASCII(baseCommand) {
 		return ircmsg, ErrorLineContainsBadChar
 	}
 	// normalize command to uppercase:
 	ircmsg.Command = strings.ToUpper(baseCommand)
 	line = line[paramStart:]
 	for {
--- a/vendor/github.com/ergochat/irc-go/ircmsg/unicode.go
+++ b/vendor/github.com/ergochat/irc-go/ircmsg/unicode.go
@ -1,29 +0,0 @@
 // Copyright (c) 2021 Shivaram Lingamneni
 // Released under the MIT License
 package ircmsg
 import (
 	"unicode/utf8"
 )
 // TruncateUTF8Safe truncates a message, respecting UTF8 boundaries. If a message
 // was originally valid UTF8, TruncateUTF8Safe will not make it invalid; instead
 // it will truncate additional bytes as needed, back to the last valid
 // UTF8-encoded codepoint. If a message is not UTF8, TruncateUTF8Safe will truncate
 // at most 3 additional bytes before giving up.
 func TruncateUTF8Safe(message string, byteLimit int) (result string) {
 	if len(message) <= byteLimit {
 		return message
 	}
 	message = message[:byteLimit]
 	for i := 0; i < (utf8.UTFMax - 1); i++ {
 		r, n := utf8.DecodeLastRuneInString(message)
 		if r == utf8.RuneError && n <= 1 {
 			message = message[:len(message)-1]
 		} else {
 			break
 		}
 	}
 	return message
 }
--- a/vendor/github.com/ergochat/irc-go/ircutils/sasl.go
+++ b/vendor/github.com/ergochat/irc-go/ircutils/sasl.go
@ -1,111 +0,0 @@
 package ircutils
 import (
 	"encoding/base64"
 	"errors"
 )
 var (
 	ErrSASLLimitExceeded = errors.New("SASL total response size exceeded configured limit")
 	ErrSASLTooLong       = errors.New("SASL response chunk exceeded 400-byte limit")
 )
 // EncodeSASLResponse encodes a raw SASL response as parameters to successive
 // AUTHENTICATE commands, as described in the IRCv3 SASL specification.
 func EncodeSASLResponse(raw []byte) (result []string) {
 	// https://ircv3.net/specs/extensions/sasl-3.1#the-authenticate-command
 	// "The response is encoded in Base64 (RFC 4648), then split to 400-byte chunks,
 	// and each chunk is sent as a separate AUTHENTICATE command. Empty (zero-length)
 	// responses are sent as AUTHENTICATE +. If the last chunk was exactly 400 bytes
 	// long, it must also be followed by AUTHENTICATE + to signal end of response."
 	if len(raw) == 0 {
 		return []string{"+"}
 	}
 	response := base64.StdEncoding.EncodeToString(raw)
 	result = make([]string, 0, (len(response)/400)+1)
 	lastLen := 0
 	for len(response) > 0 {
 		// TODO once we require go 1.21, this can be: lastLen = min(len(response), 400)
 		lastLen = len(response)
 		if lastLen > 400 {
 			lastLen = 400
 		}
 		result = append(result, response[:lastLen])
 		response = response[lastLen:]
 	}
 	if lastLen == 400 {
 		result = append(result, "+")
 	}
 	return result
 }
 // SASLBuffer handles buffering and decoding SASL responses sent as parameters
 // to AUTHENTICATE commands, as described in the IRCv3 SASL specification.
 // Do not copy a SASLBuffer after first use.
 type SASLBuffer struct {
 	maxLength int
 	buf       []byte
 }
 // NewSASLBuffer returns a new SASLBuffer. maxLength is the maximum amount of
 // data to buffer (0 for no limit).
 func NewSASLBuffer(maxLength int) *SASLBuffer {
 	result := new(SASLBuffer)
 	result.Initialize(maxLength)
 	return result
 }
 // Initialize initializes a SASLBuffer in place.
 func (b *SASLBuffer) Initialize(maxLength int) {
 	b.maxLength = maxLength
 }
 // Add processes an additional SASL response chunk sent via AUTHENTICATE.
 // If the response is complete, it resets the buffer and returns the decoded
 // response along with any decoding or protocol errors detected.
 func (b *SASLBuffer) Add(value string) (done bool, output []byte, err error) {
 	if value == "+" {
 		// total size is a multiple of 400 (possibly 0)
 		output = b.buf
 		b.Clear()
 		return true, output, nil
 	}
 	if len(value) > 400 {
 		b.Clear()
 		return true, nil, ErrSASLTooLong
 	}
 	curLen := len(b.buf)
 	chunkDecodedLen := base64.StdEncoding.DecodedLen(len(value))
 	if b.maxLength != 0 && (curLen+chunkDecodedLen) > b.maxLength {
 		b.Clear()
 		return true, nil, ErrSASLLimitExceeded
 	}
 	// "append-make pattern" as in the bytes.Buffer implementation:
 	b.buf = append(b.buf, make([]byte, chunkDecodedLen)...)
 	n, err := base64.StdEncoding.Decode(b.buf[curLen:], []byte(value))
 	b.buf = b.buf[0 : curLen+n]
 	if err != nil {
 		b.Clear()
 		return true, nil, err
 	}
 	if len(value) < 400 {
 		output = b.buf
 		b.Clear()
 		return true, output, nil
 	} else {
 		return false, nil, nil
 	}
 }
 // Clear resets the buffer state.
 func (b *SASLBuffer) Clear() {
 	// we can't reuse this buffer in general since we may have returned it
 	b.buf = nil
 }
--- a/vendor/github.com/ergochat/irc-go/ircutils/unicode.go
+++ b/vendor/github.com/ergochat/irc-go/ircutils/unicode.go
@ -7,11 +7,24 @@ import (
 	"strings"
 	"unicode"
 	"unicode/utf8"
 	"github.com/ergochat/irc-go/ircmsg"
 )
-var TruncateUTF8Safe = ircmsg.TruncateUTF8Safe
+// truncate a message, taking care not to make valid UTF8 into invalid UTF8
 func TruncateUTF8Safe(message string, byteLimit int) (result string) {
 	if len(message) <= byteLimit {
 		return message
 	}
 	message = message[:byteLimit]
 	for i := 0; i < (utf8.UTFMax - 1); i++ {
 		r, n := utf8.DecodeLastRuneInString(message)
 		if r == utf8.RuneError && n <= 1 {
 			message = message[:len(message)-1]
 		} else {
 			break
 		}
 	}
 	return message
 }
 // Sanitizes human-readable text to make it safe for IRC;
 // assumes UTF-8 and uses the replacement character where
--- a/vendor/github.com/golang-jwt/jwt/v5/.gitignore
+++ b/vendor/github.com/golang-jwt/jwt/v5/.gitignore
--- a/vendor/github.com/golang-jwt/jwt/v5/LICENSE
+++ b/vendor/github.com/golang-jwt/jwt/v5/LICENSE
--- a/vendor/github.com/golang-jwt/jwt/MIGRATION_GUIDE.md
+++ b/vendor/github.com/golang-jwt/jwt/MIGRATION_GUIDE.md
@ -0,0 +1,22 @@
 ## Migration Guide (v3.2.1)
 Starting from [v3.2.1](https://github.com/golang-jwt/jwt/releases/tag/v3.2.1]), the import path has changed from `github.com/dgrijalva/jwt-go` to `github.com/golang-jwt/jwt`. Future releases will be using the `github.com/golang-jwt/jwt` import path and continue the existing versioning scheme of `v3.x.x+incompatible`. Backwards-compatible patches and fixes will be done on the `v3` release branch, where as new build-breaking features will be developed in a `v4` release, possibly including a SIV-style import path.
 ### go.mod replacement
 In a first step, the easiest way is to use `go mod edit` to issue a replacement.
 ```
 go mod edit -replace github.com/dgrijalva/jwt-go=github.com/golang-jwt/jwt@v3.2.1+incompatible
 go mod tidy
 ```
 This will still keep the old import path in your code but replace it with the new package and also introduce a new indirect dependency to `github.com/golang-jwt/jwt`. Try to compile your project; it should still work.
 ### Cleanup
 If your code still consistently builds, you can replace all occurences of `github.com/dgrijalva/jwt-go` with `github.com/golang-jwt/jwt`, either manually or by using tools such as `sed`. Finally, the `replace` directive in the `go.mod` file can be removed.
 ## Older releases (before v3.2.0)
 The original migration guide for older releases can be found at https://github.com/dgrijalva/jwt-go/blob/master/MIGRATION_GUIDE.md.
--- a/vendor/github.com/golang-jwt/jwt/README.md
+++ b/vendor/github.com/golang-jwt/jwt/README.md
@ -0,0 +1,113 @@
 # jwt-go
 [![build](https://github.com/golang-jwt/jwt/actions/workflows/build.yml/badge.svg)](https://github.com/golang-jwt/jwt/actions/workflows/build.yml)
 [![Go Reference](https://pkg.go.dev/badge/github.com/golang-jwt/jwt.svg)](https://pkg.go.dev/github.com/golang-jwt/jwt)
 A [go](http://www.golang.org) (or 'golang' for search engine friendliness) implementation of [JSON Web Tokens](https://datatracker.ietf.org/doc/html/rfc7519).
 **IMPORT PATH CHANGE:** Starting from [v3.2.1](https://github.com/golang-jwt/jwt/releases/tag/v3.2.1), the import path has changed from `github.com/dgrijalva/jwt-go` to `github.com/golang-jwt/jwt`. After the original author of the library suggested migrating the maintenance of `jwt-go`, a dedicated team of open source maintainers decided to clone the existing library into this repository. See [dgrijalva/jwt-go#462](https://github.com/dgrijalva/jwt-go/issues/462) for a detailed discussion on this topic.
 Future releases will be using the `github.com/golang-jwt/jwt` import path and continue the existing versioning scheme of `v3.x.x+incompatible`. Backwards-compatible patches and fixes will be done on the `v3` release branch, where as new build-breaking features will be developed in a `v4` release, possibly including a SIV-style import path.
 **SECURITY NOTICE:** Some older versions of Go have a security issue in the crypto/elliptic. Recommendation is to upgrade to at least 1.15 See issue [dgrijalva/jwt-go#216](https://github.com/dgrijalva/jwt-go/issues/216) for more detail.
 **SECURITY NOTICE:** It's important that you [validate the `alg` presented is what you expect](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/). This library attempts to make it easy to do the right thing by requiring key types match the expected alg, but you should take the extra step to verify it in your usage.  See the examples provided.
 ### Supported Go versions
 Our support of Go versions is aligned with Go's [version release policy](https://golang.org/doc/devel/release#policy).
 So we will support a major version of Go until there are two newer major releases.
 We no longer support building jwt-go with unsupported Go versions, as these contain security vulnerabilities
 which will not be fixed.
 ## What the heck is a JWT?
 JWT.io has [a great introduction](https://jwt.io/introduction) to JSON Web Tokens.
 In short, it's a signed JSON object that does something useful (for example, authentication).  It's commonly used for `Bearer` tokens in Oauth 2.  A token is made of three parts, separated by `.`'s.  The first two parts are JSON objects, that have been [base64url](https://datatracker.ietf.org/doc/html/rfc4648) encoded.  The last part is the signature, encoded the same way.
 The first part is called the header.  It contains the necessary information for verifying the last part, the signature.  For example, which encryption method was used for signing and what key was used.
 The part in the middle is the interesting bit.  It's called the Claims and contains the actual stuff you care about.  Refer to [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519) for information about reserved keys and the proper way to add your own.
 ## What's in the box?
 This library supports the parsing and verification as well as the generation and signing of JWTs.  Current supported signing algorithms are HMAC SHA, RSA, RSA-PSS, and ECDSA, though hooks are present for adding your own.
 ## Examples
 See [the project documentation](https://pkg.go.dev/github.com/golang-jwt/jwt) for examples of usage:
 * [Simple example of parsing and validating a token](https://pkg.go.dev/github.com/golang-jwt/jwt#example-Parse-Hmac)
 * [Simple example of building and signing a token](https://pkg.go.dev/github.com/golang-jwt/jwt#example-New-Hmac)
 * [Directory of Examples](https://pkg.go.dev/github.com/golang-jwt/jwt#pkg-examples)
 ## Extensions
 This library publishes all the necessary components for adding your own signing methods.  Simply implement the `SigningMethod` interface and register a factory method using `RegisterSigningMethod`.  
 Here's an example of an extension that integrates with multiple Google Cloud Platform signing tools (AppEngine, IAM API, Cloud KMS): https://github.com/someone1/gcp-jwt-go
 ## Compliance
 This library was last reviewed to comply with [RTF 7519](https://datatracker.ietf.org/doc/html/rfc7519) dated May 2015 with a few notable differences:
 * In order to protect against accidental use of [Unsecured JWTs](https://datatracker.ietf.org/doc/html/rfc7519#section-6), tokens using `alg=none` will only be accepted if the constant `jwt.UnsafeAllowNoneSignatureType` is provided as the key.
 ## Project Status & Versioning
 This library is considered production ready.  Feedback and feature requests are appreciated.  The API should be considered stable.  There should be very few backwards-incompatible changes outside of major version updates (and only with good reason).
 This project uses [Semantic Versioning 2.0.0](http://semver.org).  Accepted pull requests will land on `main`.  Periodically, versions will be tagged from `main`.  You can find all the releases on [the project releases page](https://github.com/golang-jwt/jwt/releases).
 While we try to make it obvious when we make breaking changes, there isn't a great mechanism for pushing announcements out to users.  You may want to use this alternative package include: `gopkg.in/golang-jwt/jwt.v3`.  It will do the right thing WRT semantic versioning.
 **BREAKING CHANGES:*** 
 * Version 3.0.0 includes _a lot_ of changes from the 2.x line, including a few that break the API.  We've tried to break as few things as possible, so there should just be a few type signature changes.  A full list of breaking changes is available in `VERSION_HISTORY.md`.  See `MIGRATION_GUIDE.md` for more information on updating your code.
 ## Usage Tips
 ### Signing vs Encryption
 A token is simply a JSON object that is signed by its author. this tells you exactly two things about the data:
 * The author of the token was in the possession of the signing secret
 * The data has not been modified since it was signed
 It's important to know that JWT does not provide encryption, which means anyone who has access to the token can read its contents. If you need to protect (encrypt) the data, there is a companion spec, `JWE`, that provides this functionality. JWE is currently outside the scope of this library.
 ### Choosing a Signing Method
 There are several signing methods available, and you should probably take the time to learn about the various options before choosing one.  The principal design decision is most likely going to be symmetric vs asymmetric.
 Symmetric signing methods, such as HSA, use only a single secret. This is probably the simplest signing method to use since any `[]byte` can be used as a valid secret. They are also slightly computationally faster to use, though this rarely is enough to matter. Symmetric signing methods work the best when both producers and consumers of tokens are trusted, or even the same system. Since the same secret is used to both sign and validate tokens, you can't easily distribute the key for validation.
 Asymmetric signing methods, such as RSA, use different keys for signing and verifying tokens. This makes it possible to produce tokens with a private key, and allow any consumer to access the public key for verification.
 ### Signing Methods and Key Types
 Each signing method expects a different object type for its signing keys. See the package documentation for details. Here are the most common ones:
 * The [HMAC signing method](https://pkg.go.dev/github.com/golang-jwt/jwt#SigningMethodHMAC) (`HS256`,`HS384`,`HS512`) expect `[]byte` values for signing and validation
 * The [RSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt#SigningMethodRSA) (`RS256`,`RS384`,`RS512`) expect `*rsa.PrivateKey` for signing and `*rsa.PublicKey` for validation
 * The [ECDSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt#SigningMethodECDSA) (`ES256`,`ES384`,`ES512`) expect `*ecdsa.PrivateKey` for signing and `*ecdsa.PublicKey` for validation
 ### JWT and OAuth
 It's worth mentioning that OAuth and JWT are not the same thing. A JWT token is simply a signed JSON object. It can be used anywhere such a thing is useful. There is some confusion, though, as JWT is the most common type of bearer token used in OAuth2 authentication.
 Without going too far down the rabbit hole, here's a description of the interaction of these technologies:
 * OAuth is a protocol for allowing an identity provider to be separate from the service a user is logging in to. For example, whenever you use Facebook to log into a different service (Yelp, Spotify, etc), you are using OAuth.
 * OAuth defines several options for passing around authentication data. One popular method is called a "bearer token". A bearer token is simply a string that _should_ only be held by an authenticated user. Thus, simply presenting this token proves your identity. You can probably derive from here why a JWT might make a good bearer token.
 * Because bearer tokens are used for authentication, it's important they're kept secret. This is why transactions that use bearer tokens typically happen over SSL.
 ### Troubleshooting
 This library uses descriptive error messages whenever possible. If you are not getting the expected result, have a look at the errors. The most common place people get stuck is providing the correct type of key to the parser. See the above section on signing methods and key types.
 ## More
 Documentation can be found [on pkg.go.dev](https://pkg.go.dev/github.com/golang-jwt/jwt).
 The command line utility included in this project (cmd/jwt) provides a straightforward example of token creation and parsing as well as a useful tool for debugging your own integration. You'll also find several implementation examples in the documentation.
--- a/vendor/github.com/golang-jwt/jwt/v5/VERSION_HISTORY.md
+++ b/vendor/github.com/golang-jwt/jwt/v5/VERSION_HISTORY.md
@ -1,19 +1,13 @@
-# `jwt-go` Version History
+## `jwt-go` Version History
-The following version history is kept for historic purposes. To retrieve the current changes of each version, please refer to the change-log of the specific release versions on https://github.com/golang-jwt/jwt/releases.
+#### 3.2.2
 ## 4.0.0
 * Introduces support for Go modules. The `v4` version will be backwards compatible with `v3.x.y`.
 ## 3.2.2
 * Starting from this release, we are adopting the policy to support the most 2 recent versions of Go currently available. By the time of this release, this is Go 1.15 and 1.16 ([#28](https://github.com/golang-jwt/jwt/pull/28)).
 * Fixed a potential issue that could occur when the verification of `exp`, `iat` or `nbf` was not required and contained invalid contents, i.e. non-numeric/date. Thanks for @thaJeztah for making us aware of that and @giorgos-f3 for originally reporting it to the formtech fork ([#40](https://github.com/golang-jwt/jwt/pull/40)).
 * Added support for EdDSA / ED25519 ([#36](https://github.com/golang-jwt/jwt/pull/36)).
 * Optimized allocations ([#33](https://github.com/golang-jwt/jwt/pull/33)).
-## 3.2.1
+#### 3.2.1
 * **Import Path Change**: See MIGRATION_GUIDE.md for tips on updating your code
 	* Changed the import path from `github.com/dgrijalva/jwt-go` to `github.com/golang-jwt/jwt`
@ -119,17 +113,17 @@ It is likely the only integration change required here will be to change `func(t
 * Refactored the RSA implementation to be easier to read
 * Exposed helper methods `ParseRSAPrivateKeyFromPEM` and `ParseRSAPublicKeyFromPEM`
-## 1.0.2
+#### 1.0.2
 * Fixed bug in parsing public keys from certificates
 * Added more tests around the parsing of keys for RS256
 * Code refactoring in RS256 implementation.  No functional changes
-## 1.0.1
+#### 1.0.1
 * Fixed panic if RS256 signing method was passed an invalid key
-## 1.0.0
+#### 1.0.0
 * First versioned release
 * API stabilized
--- a/vendor/github.com/golang-jwt/jwt/claims.go
+++ b/vendor/github.com/golang-jwt/jwt/claims.go
@ -0,0 +1,146 @@
 package jwt
 import (
 	"crypto/subtle"
 	"fmt"
 	"time"
 )
 // For a type to be a Claims object, it must just have a Valid method that determines
 // if the token is invalid for any supported reason
 type Claims interface {
 	Valid() error
 }
 // Structured version of Claims Section, as referenced at
 // https://tools.ietf.org/html/rfc7519#section-4.1
 // See examples for how to use this with your own claim types
 type StandardClaims struct {
 	Audience  string `json:"aud,omitempty"`
 	ExpiresAt int64  `json:"exp,omitempty"`
 	Id        string `json:"jti,omitempty"`
 	IssuedAt  int64  `json:"iat,omitempty"`
 	Issuer    string `json:"iss,omitempty"`
 	NotBefore int64  `json:"nbf,omitempty"`
 	Subject   string `json:"sub,omitempty"`
 }
 // Validates time based claims "exp, iat, nbf".
 // There is no accounting for clock skew.
 // As well, if any of the above claims are not in the token, it will still
 // be considered a valid claim.
 func (c StandardClaims) Valid() error {
 	vErr := new(ValidationError)
 	now := TimeFunc().Unix()
 	// The claims below are optional, by default, so if they are set to the
 	// default value in Go, let's not fail the verification for them.
 	if !c.VerifyExpiresAt(now, false) {
 		delta := time.Unix(now, 0).Sub(time.Unix(c.ExpiresAt, 0))
 		vErr.Inner = fmt.Errorf("token is expired by %v", delta)
 		vErr.Errors |= ValidationErrorExpired
 	}
 	if !c.VerifyIssuedAt(now, false) {
 		vErr.Inner = fmt.Errorf("Token used before issued")
 		vErr.Errors |= ValidationErrorIssuedAt
 	}
 	if !c.VerifyNotBefore(now, false) {
 		vErr.Inner = fmt.Errorf("token is not valid yet")
 		vErr.Errors |= ValidationErrorNotValidYet
 	}
 	if vErr.valid() {
 		return nil
 	}
 	return vErr
 }
 // Compares the aud claim against cmp.
 // If required is false, this method will return true if the value matches or is unset
 func (c *StandardClaims) VerifyAudience(cmp string, req bool) bool {
 	return verifyAud([]string{c.Audience}, cmp, req)
 }
 // Compares the exp claim against cmp.
 // If required is false, this method will return true if the value matches or is unset
 func (c *StandardClaims) VerifyExpiresAt(cmp int64, req bool) bool {
 	return verifyExp(c.ExpiresAt, cmp, req)
 }
 // Compares the iat claim against cmp.
 // If required is false, this method will return true if the value matches or is unset
 func (c *StandardClaims) VerifyIssuedAt(cmp int64, req bool) bool {
 	return verifyIat(c.IssuedAt, cmp, req)
 }
 // Compares the iss claim against cmp.
 // If required is false, this method will return true if the value matches or is unset
 func (c *StandardClaims) VerifyIssuer(cmp string, req bool) bool {
 	return verifyIss(c.Issuer, cmp, req)
 }
 // Compares the nbf claim against cmp.
 // If required is false, this method will return true if the value matches or is unset
 func (c *StandardClaims) VerifyNotBefore(cmp int64, req bool) bool {
 	return verifyNbf(c.NotBefore, cmp, req)
 }
 // ----- helpers
 func verifyAud(aud []string, cmp string, required bool) bool {
 	if len(aud) == 0 {
 		return !required
 	}
 	// use a var here to keep constant time compare when looping over a number of claims
 	result := false
 	var stringClaims string
 	for _, a := range aud {
 		if subtle.ConstantTimeCompare([]byte(a), []byte(cmp)) != 0 {
 			result = true
 		}
 		stringClaims = stringClaims + a
 	}
 	// case where "" is sent in one or many aud claims
 	if len(stringClaims) == 0 {
 		return !required
 	}
 	return result
 }
 func verifyExp(exp int64, now int64, required bool) bool {
 	if exp == 0 {
 		return !required
 	}
 	return now <= exp
 }
 func verifyIat(iat int64, now int64, required bool) bool {
 	if iat == 0 {
 		return !required
 	}
 	return now >= iat
 }
 func verifyIss(iss string, cmp string, required bool) bool {
 	if iss == "" {
 		return !required
 	}
 	if subtle.ConstantTimeCompare([]byte(iss), []byte(cmp)) != 0 {
 		return true
 	} else {
 		return false
 	}
 }
 func verifyNbf(nbf int64, now int64, required bool) bool {
 	if nbf == 0 {
 		return !required
 	}
 	return now >= nbf
 }
--- a/vendor/github.com/golang-jwt/jwt/v5/doc.go
+++ b/vendor/github.com/golang-jwt/jwt/v5/doc.go
--- a/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go
+++ b/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go
@ -13,7 +13,7 @@ var (
 	ErrECDSAVerification = errors.New("crypto/ecdsa: verification error")
 )
-// SigningMethodECDSA implements the ECDSA family of signing methods.
+// Implements the ECDSA family of signing methods signing methods
 // Expects *ecdsa.PrivateKey for signing and *ecdsa.PublicKey for verification
 type SigningMethodECDSA struct {
 	Name      string
@ -53,16 +53,24 @@ func (m *SigningMethodECDSA) Alg() string {
 	return m.Name
 }
-// Verify implements token verification for the SigningMethod.
+// Implements the Verify method from SigningMethod
 // For this verify method, key must be an ecdsa.PublicKey struct
-func (m *SigningMethodECDSA) Verify(signingString string, sig []byte, key interface{}) error {
+func (m *SigningMethodECDSA) Verify(signingString, signature string, key interface{}) error {
 	var err error
 	// Decode the signature
 	var sig []byte
 	if sig, err = DecodeSegment(signature); err != nil {
 		return err
 	}
 	// Get the key
 	var ecdsaKey *ecdsa.PublicKey
 	switch k := key.(type) {
 	case *ecdsa.PublicKey:
 		ecdsaKey = k
 	default:
-		return newError("ECDSA verify expects *ecdsa.PublicKey", ErrInvalidKeyType)
+		return ErrInvalidKeyType
 	}
 	if len(sig) != 2*m.KeySize {
@ -87,21 +95,21 @@ func (m *SigningMethodECDSA) Verify(signingString string, sig []byte, key interf
 	return ErrECDSAVerification
 }
-// Sign implements token signing for the SigningMethod.
+// Implements the Sign method from SigningMethod
 // For this signing method, key must be an ecdsa.PrivateKey struct
-func (m *SigningMethodECDSA) Sign(signingString string, key interface{}) ([]byte, error) {
+func (m *SigningMethodECDSA) Sign(signingString string, key interface{}) (string, error) {
 	// Get the key
 	var ecdsaKey *ecdsa.PrivateKey
 	switch k := key.(type) {
 	case *ecdsa.PrivateKey:
 		ecdsaKey = k
 	default:
-		return nil, newError("ECDSA sign expects *ecdsa.PrivateKey", ErrInvalidKeyType)
+		return "", ErrInvalidKeyType
 	}
 	// Create the hasher
 	if !m.Hash.Available() {
-		return nil, ErrHashUnavailable
+		return "", ErrHashUnavailable
 	}
 	hasher := m.Hash.New()
@ -112,7 +120,7 @@ func (m *SigningMethodECDSA) Sign(signingString string, key interface{}) ([]byte
 		curveBits := ecdsaKey.Curve.Params().BitSize
 		if m.CurveBits != curveBits {
-			return nil, ErrInvalidKey
+			return "", ErrInvalidKey
 		}
 		keyBytes := curveBits / 8
@ -127,8 +135,8 @@ func (m *SigningMethodECDSA) Sign(signingString string, key interface{}) ([]byte
 		r.FillBytes(out[0:keyBytes]) // r is assigned to the first half of output.
 		s.FillBytes(out[keyBytes:])  // s is assigned to the second half of output.
-		return out, nil
+		return EncodeSegment(out), nil
 	} else {
-		return nil, err
+		return "", err
 	}
 }
--- a/vendor/github.com/golang-jwt/jwt/v5/ecdsa_utils.go
+++ b/vendor/github.com/golang-jwt/jwt/v5/ecdsa_utils.go
@ -8,11 +8,11 @@ import (
 )
 var (
-	ErrNotECPublicKey  = errors.New("key is not a valid ECDSA public key")
+	ErrNotECPublicKey  = errors.New("Key is not a valid ECDSA public key")
-	ErrNotECPrivateKey = errors.New("key is not a valid ECDSA private key")
+	ErrNotECPrivateKey = errors.New("Key is not a valid ECDSA private key")
 )
-// ParseECPrivateKeyFromPEM parses a PEM encoded Elliptic Curve Private Key Structure
+// Parse PEM encoded Elliptic Curve Private Key Structure
 func ParseECPrivateKeyFromPEM(key []byte) (*ecdsa.PrivateKey, error) {
 	var err error
@ -39,7 +39,7 @@ func ParseECPrivateKeyFromPEM(key []byte) (*ecdsa.PrivateKey, error) {
 	return pkey, nil
 }
-// ParseECPublicKeyFromPEM parses a PEM encoded PKCS1 or PKCS8 public key
+// Parse PEM encoded PKCS1 or PKCS8 public key
 func ParseECPublicKeyFromPEM(key []byte) (*ecdsa.PublicKey, error) {
 	var err error
--- a/vendor/github.com/golang-jwt/jwt/v5/ed25519.go
+++ b/vendor/github.com/golang-jwt/jwt/v5/ed25519.go
@ -1,17 +1,16 @@
 package jwt
 import (
 	"crypto"
 	"crypto/ed25519"
 	"crypto/rand"
 	"errors"
 	"crypto/ed25519"
 )
 var (
 	ErrEd25519Verification = errors.New("ed25519: verification error")
 )
-// SigningMethodEd25519 implements the EdDSA family.
+// Implements the EdDSA family
 // Expects ed25519.PrivateKey for signing and ed25519.PublicKey for verification
 type SigningMethodEd25519 struct{}
@ -31,20 +30,27 @@ func (m *SigningMethodEd25519) Alg() string {
 	return "EdDSA"
 }
-// Verify implements token verification for the SigningMethod.
+// Implements the Verify method from SigningMethod
 // For this verify method, key must be an ed25519.PublicKey
-func (m *SigningMethodEd25519) Verify(signingString string, sig []byte, key interface{}) error {
+func (m *SigningMethodEd25519) Verify(signingString, signature string, key interface{}) error {
 	var err error
 	var ed25519Key ed25519.PublicKey
 	var ok bool
 	if ed25519Key, ok = key.(ed25519.PublicKey); !ok {
-		return newError("Ed25519 verify expects ed25519.PublicKey", ErrInvalidKeyType)
+		return ErrInvalidKeyType
 	}
 	if len(ed25519Key) != ed25519.PublicKeySize {
 		return ErrInvalidKey
 	}
 	// Decode the signature
 	var sig []byte
 	if sig, err = DecodeSegment(signature); err != nil {
 		return err
 	}
 	// Verify the signature
 	if !ed25519.Verify(ed25519Key, []byte(signingString), sig) {
 		return ErrEd25519Verification
@ -53,27 +59,23 @@ func (m *SigningMethodEd25519) Verify(signingString string, sig []byte, key inte
 	return nil
 }
-// Sign implements token signing for the SigningMethod.
+// Implements the Sign method from SigningMethod
 // For this signing method, key must be an ed25519.PrivateKey
-func (m *SigningMethodEd25519) Sign(signingString string, key interface{}) ([]byte, error) {
+func (m *SigningMethodEd25519) Sign(signingString string, key interface{}) (string, error) {
-	var ed25519Key crypto.Signer
+	var ed25519Key ed25519.PrivateKey
 	var ok bool
-	if ed25519Key, ok = key.(crypto.Signer); !ok {
+	if ed25519Key, ok = key.(ed25519.PrivateKey); !ok {
-		return nil, newError("Ed25519 sign expects crypto.Signer", ErrInvalidKeyType)
+		return "", ErrInvalidKeyType
 	}
-	if _, ok := ed25519Key.Public().(ed25519.PublicKey); !ok {
+	// ed25519.Sign panics if private key not equal to ed25519.PrivateKeySize
-		return nil, ErrInvalidKey
+	// this allows to avoid recover usage
 	if len(ed25519Key) != ed25519.PrivateKeySize {
 		return "", ErrInvalidKey
 	}
-	// Sign the string and return the result. ed25519 performs a two-pass hash
+	// Sign the string and return the encoded result
-	// as part of its algorithm. Therefore, we need to pass a non-prehashed
+	sig := ed25519.Sign(ed25519Key, []byte(signingString))
-	// message into the Sign function, as indicated by crypto.Hash(0)
+	return EncodeSegment(sig), nil
 	sig, err := ed25519Key.Sign(rand.Reader, []byte(signingString), crypto.Hash(0))
 	if err != nil {
 		return nil, err
 	}
 	return sig, nil
 }
--- a/vendor/github.com/golang-jwt/jwt/v5/ed25519_utils.go
+++ b/vendor/github.com/golang-jwt/jwt/v5/ed25519_utils.go
@ -9,11 +9,11 @@ import (
 )
 var (
-	ErrNotEdPrivateKey = errors.New("key is not a valid Ed25519 private key")
+	ErrNotEdPrivateKey = errors.New("Key is not a valid Ed25519 private key")
-	ErrNotEdPublicKey  = errors.New("key is not a valid Ed25519 public key")
+	ErrNotEdPublicKey  = errors.New("Key is not a valid Ed25519 public key")
 )
-// ParseEdPrivateKeyFromPEM parses a PEM-encoded Edwards curve private key
+// Parse PEM-encoded Edwards curve private key
 func ParseEdPrivateKeyFromPEM(key []byte) (crypto.PrivateKey, error) {
 	var err error
@ -38,7 +38,7 @@ func ParseEdPrivateKeyFromPEM(key []byte) (crypto.PrivateKey, error) {
 	return pkey, nil
 }
-// ParseEdPublicKeyFromPEM parses a PEM-encoded Edwards curve public key
+// Parse PEM-encoded Edwards curve public key
 func ParseEdPublicKeyFromPEM(key []byte) (crypto.PublicKey, error) {
 	var err error
--- a/vendor/github.com/golang-jwt/jwt/errors.go
+++ b/vendor/github.com/golang-jwt/jwt/errors.go
@ -0,0 +1,59 @@
 package jwt
 import (
 	"errors"
 )
 // Error constants
 var (
 	ErrInvalidKey      = errors.New("key is invalid")
 	ErrInvalidKeyType  = errors.New("key is of invalid type")
 	ErrHashUnavailable = errors.New("the requested hash function is unavailable")
 )
 // The errors that might occur when parsing and validating a token
 const (
 	ValidationErrorMalformed        uint32 = 1 << iota // Token is malformed
 	ValidationErrorUnverifiable                        // Token could not be verified because of signing problems
 	ValidationErrorSignatureInvalid                    // Signature validation failed
 	// Standard Claim validation errors
 	ValidationErrorAudience      // AUD validation failed
 	ValidationErrorExpired       // EXP validation failed
 	ValidationErrorIssuedAt      // IAT validation failed
 	ValidationErrorIssuer        // ISS validation failed
 	ValidationErrorNotValidYet   // NBF validation failed
 	ValidationErrorId            // JTI validation failed
 	ValidationErrorClaimsInvalid // Generic claims validation error
 )
 // Helper for constructing a ValidationError with a string error message
 func NewValidationError(errorText string, errorFlags uint32) *ValidationError {
 	return &ValidationError{
 		text:   errorText,
 		Errors: errorFlags,
 	}
 }
 // The error from Parse if token is not valid
 type ValidationError struct {
 	Inner  error  // stores the error returned by external dependencies, i.e.: KeyFunc
 	Errors uint32 // bitfield.  see ValidationError... constants
 	text   string // errors that do not have a valid error just have text
 }
 // Validation error is an error type
 func (e ValidationError) Error() string {
 	if e.Inner != nil {
 		return e.Inner.Error()
 	} else if e.text != "" {
 		return e.text
 	} else {
 		return "token is invalid"
 	}
 }
 // No errors
 func (e *ValidationError) valid() bool {
 	return e.Errors == 0
 }
--- a/vendor/github.com/golang-jwt/jwt/v5/hmac.go
+++ b/vendor/github.com/golang-jwt/jwt/v5/hmac.go
@ -6,7 +6,7 @@ import (
 	"errors"
 )
-// SigningMethodHMAC implements the HMAC-SHA family of signing methods.
+// Implements the HMAC-SHA family of signing methods signing methods
 // Expects key type of []byte for both signing and validation
 type SigningMethodHMAC struct {
 	Name string
@ -45,21 +45,18 @@ func (m *SigningMethodHMAC) Alg() string {
 	return m.Name
 }
-// Verify implements token verification for the SigningMethod. Returns nil if
+// Verify the signature of HSXXX tokens.  Returns nil if the signature is valid.
-// the signature is valid. Key must be []byte.
+func (m *SigningMethodHMAC) Verify(signingString, signature string, key interface{}) error {
 //
 // Note it is not advised to provide a []byte which was converted from a 'human
 // readable' string using a subset of ASCII characters. To maximize entropy, you
 // should ideally be providing a []byte key which was produced from a
 // cryptographically random source, e.g. crypto/rand. Additional information
 // about this, and why we intentionally are not supporting string as a key can
 // be found on our usage guide
 // https://golang-jwt.github.io/jwt/usage/signing_methods/#signing-methods-and-key-types.
 func (m *SigningMethodHMAC) Verify(signingString string, sig []byte, key interface{}) error {
 	// Verify the key is the right type
 	keyBytes, ok := key.([]byte)
 	if !ok {
-		return newError("HMAC verify expects []byte", ErrInvalidKeyType)
+		return ErrInvalidKeyType
 	}
 	// Decode signature, for comparison
 	sig, err := DecodeSegment(signature)
 	if err != nil {
 		return err
 	}
 	// Can we use the specified hashing method?
@ -80,25 +77,19 @@ func (m *SigningMethodHMAC) Verify(signingString string, sig []byte, key interfa
 	return nil
 }
-// Sign implements token signing for the SigningMethod. Key must be []byte.
+// Implements the Sign method from SigningMethod for this signing method.
-//
+// Key must be []byte
-// Note it is not advised to provide a []byte which was converted from a 'human
+func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) (string, error) {
 // readable' string using a subset of ASCII characters. To maximize entropy, you
 // should ideally be providing a []byte key which was produced from a
 // cryptographically random source, e.g. crypto/rand. Additional information
 // about this, and why we intentionally are not supporting string as a key can
 // be found on our usage guide https://golang-jwt.github.io/jwt/usage/signing_methods/.
 func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) ([]byte, error) {
 	if keyBytes, ok := key.([]byte); ok {
 		if !m.Hash.Available() {
-			return nil, ErrHashUnavailable
+			return "", ErrHashUnavailable
 		}
 		hasher := hmac.New(m.Hash.New, keyBytes)
 		hasher.Write([]byte(signingString))
-		return hasher.Sum(nil), nil
+		return EncodeSegment(hasher.Sum(nil)), nil
 	}
-	return nil, newError("HMAC sign expects []byte", ErrInvalidKeyType)
+	return "", ErrInvalidKeyType
 }
--- a/vendor/github.com/golang-jwt/jwt/map_claims.go
+++ b/vendor/github.com/golang-jwt/jwt/map_claims.go
@ -0,0 +1,120 @@
 package jwt
 import (
 	"encoding/json"
 	"errors"
 	// "fmt"
 )
 // Claims type that uses the map[string]interface{} for JSON decoding
 // This is the default claims type if you don't supply one
 type MapClaims map[string]interface{}
 // VerifyAudience Compares the aud claim against cmp.
 // If required is false, this method will return true if the value matches or is unset
 func (m MapClaims) VerifyAudience(cmp string, req bool) bool {
 	var aud []string
 	switch v := m["aud"].(type) {
 	case string:
 		aud = append(aud, v)
 	case []string:
 		aud = v
 	case []interface{}:
 		for _, a := range v {
 			vs, ok := a.(string)
 			if !ok {
 				return false
 			}
 			aud = append(aud, vs)
 		}
 	}
 	return verifyAud(aud, cmp, req)
 }
 // Compares the exp claim against cmp.
 // If required is false, this method will return true if the value matches or is unset
 func (m MapClaims) VerifyExpiresAt(cmp int64, req bool) bool {
 	exp, ok := m["exp"]
 	if !ok {
 		return !req
 	}
 	switch expType := exp.(type) {
 	case float64:
 		return verifyExp(int64(expType), cmp, req)
 	case json.Number:
 		v, _ := expType.Int64()
 		return verifyExp(v, cmp, req)
 	}
 	return false
 }
 // Compares the iat claim against cmp.
 // If required is false, this method will return true if the value matches or is unset
 func (m MapClaims) VerifyIssuedAt(cmp int64, req bool) bool {
 	iat, ok := m["iat"]
 	if !ok {
 		return !req
 	}
 	switch iatType := iat.(type) {
 	case float64:
 		return verifyIat(int64(iatType), cmp, req)
 	case json.Number:
 		v, _ := iatType.Int64()
 		return verifyIat(v, cmp, req)
 	}
 	return false
 }
 // Compares the iss claim against cmp.
 // If required is false, this method will return true if the value matches or is unset
 func (m MapClaims) VerifyIssuer(cmp string, req bool) bool {
 	iss, _ := m["iss"].(string)
 	return verifyIss(iss, cmp, req)
 }
 // Compares the nbf claim against cmp.
 // If required is false, this method will return true if the value matches or is unset
 func (m MapClaims) VerifyNotBefore(cmp int64, req bool) bool {
 	nbf, ok := m["nbf"]
 	if !ok {
 		return !req
 	}
 	switch nbfType := nbf.(type) {
 	case float64:
 		return verifyNbf(int64(nbfType), cmp, req)
 	case json.Number:
 		v, _ := nbfType.Int64()
 		return verifyNbf(v, cmp, req)
 	}
 	return false
 }
 // Validates time based claims "exp, iat, nbf".
 // There is no accounting for clock skew.
 // As well, if any of the above claims are not in the token, it will still
 // be considered a valid claim.
 func (m MapClaims) Valid() error {
 	vErr := new(ValidationError)
 	now := TimeFunc().Unix()
 	if !m.VerifyExpiresAt(now, false) {
 		vErr.Inner = errors.New("Token is expired")
 		vErr.Errors |= ValidationErrorExpired
 	}
 	if !m.VerifyIssuedAt(now, false) {
 		vErr.Inner = errors.New("Token used before issued")
 		vErr.Errors |= ValidationErrorIssuedAt
 	}
 	if !m.VerifyNotBefore(now, false) {
 		vErr.Inner = errors.New("Token is not valid yet")
 		vErr.Errors |= ValidationErrorNotValidYet
 	}
 	if vErr.valid() {
 		return nil
 	}
 	return vErr
 }
--- a/vendor/github.com/golang-jwt/jwt/v5/none.go
+++ b/vendor/github.com/golang-jwt/jwt/v5/none.go
@ -1,6 +1,6 @@
 package jwt
-// SigningMethodNone implements the none signing method.  This is required by the spec
+// Implements the none signing method.  This is required by the spec
 // but you probably should never use it.
 var SigningMethodNone *signingMethodNone
@ -13,7 +13,7 @@ type unsafeNoneMagicConstant string
 func init() {
 	SigningMethodNone = &signingMethodNone{}
-	NoneSignatureTypeDisallowedError = newError("'none' signature type is not allowed", ErrTokenUnverifiable)
+	NoneSignatureTypeDisallowedError = NewValidationError("'none' signature type is not allowed", ValidationErrorSignatureInvalid)
 	RegisterSigningMethod(SigningMethodNone.Alg(), func() SigningMethod {
 		return SigningMethodNone
@ -25,15 +25,18 @@ func (m *signingMethodNone) Alg() string {
 }
 // Only allow 'none' alg type if UnsafeAllowNoneSignatureType is specified as the key
-func (m *signingMethodNone) Verify(signingString string, sig []byte, key interface{}) (err error) {
+func (m *signingMethodNone) Verify(signingString, signature string, key interface{}) (err error) {
 	// Key must be UnsafeAllowNoneSignatureType to prevent accidentally
 	// accepting 'none' signing method
 	if _, ok := key.(unsafeNoneMagicConstant); !ok {
 		return NoneSignatureTypeDisallowedError
 	}
 	// If signing method is none, signature must be an empty string
-	if len(sig) != 0 {
+	if signature != "" {
-		return newError("'none' signing method with non-empty signature", ErrTokenUnverifiable)
+		return NewValidationError(
 			"'none' signing method with non-empty signature",
 			ValidationErrorSignatureInvalid,
 		)
 	}
 	// Accept 'none' signing method.
@ -41,10 +44,9 @@ func (m *signingMethodNone) Verify(signingString string, sig []byte, key interfa
 }
 // Only allow 'none' signing if UnsafeAllowNoneSignatureType is specified as the key
-func (m *signingMethodNone) Sign(signingString string, key interface{}) ([]byte, error) {
+func (m *signingMethodNone) Sign(signingString string, key interface{}) (string, error) {
 	if _, ok := key.(unsafeNoneMagicConstant); ok {
-		return []byte{}, nil
+		return "", nil
 	}
-
+	return "", NoneSignatureTypeDisallowedError
 	return nil, NoneSignatureTypeDisallowedError
 }
--- a/vendor/github.com/golang-jwt/jwt/parser.go
+++ b/vendor/github.com/golang-jwt/jwt/parser.go
@ -0,0 +1,148 @@
 package jwt
 import (
 	"bytes"
 	"encoding/json"
 	"fmt"
 	"strings"
 )
 type Parser struct {
 	ValidMethods         []string // If populated, only these methods will be considered valid
 	UseJSONNumber        bool     // Use JSON Number format in JSON decoder
 	SkipClaimsValidation bool     // Skip claims validation during token parsing
 }
 // Parse, validate, and return a token.
 // keyFunc will receive the parsed token and should return the key for validating.
 // If everything is kosher, err will be nil
 func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
 	return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc)
 }
 func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) {
 	token, parts, err := p.ParseUnverified(tokenString, claims)
 	if err != nil {
 		return token, err
 	}
 	// Verify signing method is in the required set
 	if p.ValidMethods != nil {
 		var signingMethodValid = false
 		var alg = token.Method.Alg()
 		for _, m := range p.ValidMethods {
 			if m == alg {
 				signingMethodValid = true
 				break
 			}
 		}
 		if !signingMethodValid {
 			// signing method is not in the listed set
 			return token, NewValidationError(fmt.Sprintf("signing method %v is invalid", alg), ValidationErrorSignatureInvalid)
 		}
 	}
 	// Lookup key
 	var key interface{}
 	if keyFunc == nil {
 		// keyFunc was not provided.  short circuiting validation
 		return token, NewValidationError("no Keyfunc was provided.", ValidationErrorUnverifiable)
 	}
 	if key, err = keyFunc(token); err != nil {
 		// keyFunc returned an error
 		if ve, ok := err.(*ValidationError); ok {
 			return token, ve
 		}
 		return token, &ValidationError{Inner: err, Errors: ValidationErrorUnverifiable}
 	}
 	vErr := &ValidationError{}
 	// Validate Claims
 	if !p.SkipClaimsValidation {
 		if err := token.Claims.Valid(); err != nil {
 			// If the Claims Valid returned an error, check if it is a validation error,
 			// If it was another error type, create a ValidationError with a generic ClaimsInvalid flag set
 			if e, ok := err.(*ValidationError); !ok {
 				vErr = &ValidationError{Inner: err, Errors: ValidationErrorClaimsInvalid}
 			} else {
 				vErr = e
 			}
 		}
 	}
 	// Perform validation
 	token.Signature = parts[2]
 	if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil {
 		vErr.Inner = err
 		vErr.Errors |= ValidationErrorSignatureInvalid
 	}
 	if vErr.valid() {
 		token.Valid = true
 		return token, nil
 	}
 	return token, vErr
 }
 // WARNING: Don't use this method unless you know what you're doing
 //
 // This method parses the token but doesn't validate the signature. It's only
 // ever useful in cases where you know the signature is valid (because it has
 // been checked previously in the stack) and you want to extract values from
 // it.
 func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
 	parts = strings.Split(tokenString, ".")
 	if len(parts) != 3 {
 		return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
 	}
 	token = &Token{Raw: tokenString}
 	// parse Header
 	var headerBytes []byte
 	if headerBytes, err = DecodeSegment(parts[0]); err != nil {
 		if strings.HasPrefix(strings.ToLower(tokenString), "bearer ") {
 			return token, parts, NewValidationError("tokenstring should not contain 'bearer '", ValidationErrorMalformed)
 		}
 		return token, parts, &ValidationError{Inner: err, Errors: ValidationErrorMalformed}
 	}
 	if err = json.Unmarshal(headerBytes, &token.Header); err != nil {
 		return token, parts, &ValidationError{Inner: err, Errors: ValidationErrorMalformed}
 	}
 	// parse Claims
 	var claimBytes []byte
 	token.Claims = claims
 	if claimBytes, err = DecodeSegment(parts[1]); err != nil {
 		return token, parts, &ValidationError{Inner: err, Errors: ValidationErrorMalformed}
 	}
 	dec := json.NewDecoder(bytes.NewBuffer(claimBytes))
 	if p.UseJSONNumber {
 		dec.UseNumber()
 	}
 	// JSON Decode.  Special case for map type to avoid weird pointer behavior
 	if c, ok := token.Claims.(MapClaims); ok {
 		err = dec.Decode(&c)
 	} else {
 		err = dec.Decode(&claims)
 	}
 	// Handle decode error
 	if err != nil {
 		return token, parts, &ValidationError{Inner: err, Errors: ValidationErrorMalformed}
 	}
 	// Lookup signature method
 	if method, ok := token.Header["alg"].(string); ok {
 		if token.Method = GetSigningMethod(method); token.Method == nil {
 			return token, parts, NewValidationError("signing method (alg) is unavailable.", ValidationErrorUnverifiable)
 		}
 	} else {
 		return token, parts, NewValidationError("signing method (alg) is unspecified.", ValidationErrorUnverifiable)
 	}
 	return token, parts, nil
 }
--- a/vendor/github.com/golang-jwt/jwt/v5/rsa.go
+++ b/vendor/github.com/golang-jwt/jwt/v5/rsa.go
@ -6,7 +6,7 @@ import (
 	"crypto/rsa"
 )
-// SigningMethodRSA implements the RSA family of signing methods.
+// Implements the RSA family of signing methods signing methods
 // Expects *rsa.PrivateKey for signing and *rsa.PublicKey for validation
 type SigningMethodRSA struct {
 	Name string
@ -44,14 +44,22 @@ func (m *SigningMethodRSA) Alg() string {
 	return m.Name
 }
-// Verify implements token verification for the SigningMethod
+// Implements the Verify method from SigningMethod
 // For this signing method, must be an *rsa.PublicKey structure.
-func (m *SigningMethodRSA) Verify(signingString string, sig []byte, key interface{}) error {
+func (m *SigningMethodRSA) Verify(signingString, signature string, key interface{}) error {
 	var err error
 	// Decode the signature
 	var sig []byte
 	if sig, err = DecodeSegment(signature); err != nil {
 		return err
 	}
 	var rsaKey *rsa.PublicKey
 	var ok bool
 	if rsaKey, ok = key.(*rsa.PublicKey); !ok {
-		return newError("RSA verify expects *rsa.PublicKey", ErrInvalidKeyType)
+		return ErrInvalidKeyType
 	}
 	// Create hasher
@ -65,20 +73,20 @@ func (m *SigningMethodRSA) Verify(signingString string, sig []byte, key interfac
 	return rsa.VerifyPKCS1v15(rsaKey, m.Hash, hasher.Sum(nil), sig)
 }
-// Sign implements token signing for the SigningMethod
+// Implements the Sign method from SigningMethod
 // For this signing method, must be an *rsa.PrivateKey structure.
-func (m *SigningMethodRSA) Sign(signingString string, key interface{}) ([]byte, error) {
+func (m *SigningMethodRSA) Sign(signingString string, key interface{}) (string, error) {
 	var rsaKey *rsa.PrivateKey
 	var ok bool
 	// Validate type of key
 	if rsaKey, ok = key.(*rsa.PrivateKey); !ok {
-		return nil, newError("RSA sign expects *rsa.PrivateKey", ErrInvalidKeyType)
+		return "", ErrInvalidKey
 	}
 	// Create the hasher
 	if !m.Hash.Available() {
-		return nil, ErrHashUnavailable
+		return "", ErrHashUnavailable
 	}
 	hasher := m.Hash.New()
@ -86,8 +94,8 @@ func (m *SigningMethodRSA) Sign(signingString string, key interface{}) ([]byte,
 	// Sign the string and return the encoded bytes
 	if sigBytes, err := rsa.SignPKCS1v15(rand.Reader, rsaKey, m.Hash, hasher.Sum(nil)); err == nil {
-		return sigBytes, nil
+		return EncodeSegment(sigBytes), nil
 	} else {
-		return nil, err
+		return "", err
 	}
 }
--- a/vendor/github.com/golang-jwt/jwt/v5/rsa_pss.go
+++ b/vendor/github.com/golang-jwt/jwt/v5/rsa_pss.go
@ -1,4 +1,3 @@
 //go:build go1.4
 // +build go1.4
 package jwt
@ -9,7 +8,7 @@ import (
 	"crypto/rsa"
 )
-// SigningMethodRSAPSS implements the RSAPSS family of signing methods signing methods
+// Implements the RSAPSS family of signing methods signing methods
 type SigningMethodRSAPSS struct {
 	*SigningMethodRSA
 	Options *rsa.PSSOptions
@ -80,15 +79,23 @@ func init() {
 	})
 }
-// Verify implements token verification for the SigningMethod.
+// Implements the Verify method from SigningMethod
 // For this verify method, key must be an rsa.PublicKey struct
-func (m *SigningMethodRSAPSS) Verify(signingString string, sig []byte, key interface{}) error {
+func (m *SigningMethodRSAPSS) Verify(signingString, signature string, key interface{}) error {
 	var err error
 	// Decode the signature
 	var sig []byte
 	if sig, err = DecodeSegment(signature); err != nil {
 		return err
 	}
 	var rsaKey *rsa.PublicKey
 	switch k := key.(type) {
 	case *rsa.PublicKey:
 		rsaKey = k
 	default:
-		return newError("RSA-PSS verify expects *rsa.PublicKey", ErrInvalidKeyType)
+		return ErrInvalidKey
 	}
 	// Create hasher
@ -106,21 +113,21 @@ func (m *SigningMethodRSAPSS) Verify(signingString string, sig []byte, key inter
 	return rsa.VerifyPSS(rsaKey, m.Hash, hasher.Sum(nil), sig, opts)
 }
-// Sign implements token signing for the SigningMethod.
+// Implements the Sign method from SigningMethod
 // For this signing method, key must be an rsa.PrivateKey struct
-func (m *SigningMethodRSAPSS) Sign(signingString string, key interface{}) ([]byte, error) {
+func (m *SigningMethodRSAPSS) Sign(signingString string, key interface{}) (string, error) {
 	var rsaKey *rsa.PrivateKey
 	switch k := key.(type) {
 	case *rsa.PrivateKey:
 		rsaKey = k
 	default:
-		return nil, newError("RSA-PSS sign expects *rsa.PrivateKey", ErrInvalidKeyType)
+		return "", ErrInvalidKeyType
 	}
 	// Create the hasher
 	if !m.Hash.Available() {
-		return nil, ErrHashUnavailable
+		return "", ErrHashUnavailable
 	}
 	hasher := m.Hash.New()
@ -128,8 +135,8 @@ func (m *SigningMethodRSAPSS) Sign(signingString string, key interface{}) ([]byt
 	// Sign the string and return the encoded bytes
 	if sigBytes, err := rsa.SignPSS(rand.Reader, rsaKey, m.Hash, hasher.Sum(nil), m.Options); err == nil {
-		return sigBytes, nil
+		return EncodeSegment(sigBytes), nil
 	} else {
-		return nil, err
+		return "", err
 	}
 }
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
Shivaram Lingamneni	3d5da0c39b	add a benchmark for NAMES	2023-04-03 03:40:04 -04:00
Shivaram Lingamneni	a6664459f6	tweak member caching	2023-04-02 17:18:41 -04:00
Shivaram Lingamneni	780116b0c2	tweaks to NAMES implementation	2023-04-02 02:30:14 -04:00
`@ -1,4 +1,4 @@`
	`//go:build !(plan9 \|\| solaris)`	`//go:build !plan9`

	`package flock`	`package flock`
`@ -1,4 +1,4 @@`
	`//go:build plan9 \|\| solaris`	`//go:build plan9`

	`package flock`	`package flock`
		`@ -1 +1 @@`
			`Subproject commit a1324407893b603fe6b55ce7c4ee385938291ae1`				`Subproject commit 6815dd238b8afd8ad73712d50d3e93cf997c26db`