2025-07-12 08:27:27 +02:00
308 changed files with 10411 additions and 18701 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -12,14 +12,14 @@ on:
 jobs:
  build:
-    runs-on: "ubuntu-24.04"
+    runs-on: "ubuntu-22.04"
    steps:
      - name: "checkout repository"
        uses: "actions/checkout@v3"
      - name: "setup go"
        uses: "actions/setup-go@v3"
        with:
-          go-version: "1.24"
+          go-version: "1.22"
      - name: "install python3-pytest"
        run: "sudo apt install -y python3-pytest"
      - name: "make install"
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -1,6 +1,5 @@
 # .goreleaser.yml
 # Build customization
 version: 2
 project_name: ergo
 builds:
  - main: ergo.go
@ -18,7 +17,6 @@ builds:
      - amd64
      - arm
      - arm64
      - riscv64
    goarm:
      - 6
    ignore:
@ -26,41 +24,30 @@ builds:
        goarch: arm
      - goos: windows
        goarch: arm64
      - goos: windows
        goarch: riscv64
      - goos: darwin
        goarch: arm
      - goos: darwin
        goarch: riscv64
      - goos: freebsd
        goarch: arm
      - goos: freebsd
        goarch: arm64
      - goos: freebsd
        goarch: riscv64
      - goos: openbsd
        goarch: arm
      - goos: openbsd
        goarch: arm64
      - goos: openbsd
        goarch: riscv64
      - goos: plan9
        goarch: arm
      - goos: plan9
        goarch: arm64
      - goos: plan9
        goarch: riscv64
    flags:
      - -trimpath
 archives:
  -
-    name_template: >-
+    name_template: "{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}"
            {{ .ProjectName }}-{{ .Version }}-
            {{- if eq .Os "darwin" }}macos{{- else }}{{ .Os }}{{ end -}}-
            {{- if eq .Arch "amd64" }}x86_64{{- else }}{{ .Arch }}{{ end -}}
            {{ if .Arm }}v{{ .Arm }}{{ end -}}
    format: tar.gz
    replacements:
      amd64: x86_64
      darwin: macos
    format_overrides:
      - goos: windows
        format: zip
@ -71,7 +58,6 @@ archives:
      - ergo.motd
      - default.yaml
      - traditional.yaml
      - docs/API.md
      - docs/MANUAL.md
      - docs/USERGUIDE.md
      - languages/*.yaml
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,80 +1,13 @@
 # Changelog
 All notable changes to Ergo will be documented in this file.
-## [2.16.0] - 2025-05-18
+## [2.14.0-rc1] - 2024-06-09
-We're pleased to be publishing v2.16.0, a new stable release. This release contains bug fixes and some minor updates.
+
 We're pleased to be publishing the release candidate for v2.14.0 (the official release should follow within two weeks or so). This release contains primarily bug fixes, with the addition of some new authentication mechanisms for integrating with web clients.
 This release includes changes to the config file format, all of which are fully backwards-compatible and do not require updating the file before upgrading. It includes no changes to the database file format.
-Many thanks to [@csmith](https://github.com/csmith), [@delthas](https://github.com/delthas), donio, [@emersion](https://github.com/emersion), [@KlaasT](https://github.com/KlaasT), [@knolley](https://github.com/knolley), [@Mailaender](https://github.com/Mailaender), and [@prdes](https://github.com/prdes) for reporting issues and helping test.
+Many thanks to [@al3xandros](https://github.com/al3xandros), donio, [@eeeeeta](https://github.com/eeeeeta), [@emersion](https://github.com/emersion), [@Eriner](https://github.com/Eriner), [@eskimo](https://github.com/eskimo), [@Herringway](https://github.com/Herringway), [@jwheare](https://github.com/jwheare), [@knolley](https://github.com/knolley), pathof, [@poVoq](https://github.com/poVoq), [@progval](https://github.com/progval), [@RNDpacman](https://github.com/RNDpacman), and [@xnaas](https://github.com/xnaas) for contributing patches, reporting issues, and helping test.
 ### Config changes
 * Added `api` block for configuring the new HTTP API. If this block is absent, the API is disabled (#2231)
 * Added `server.additional-isupport` for publishing arbitrary ISUPPORT tokens (#2220, #2240)
 * Added `server.command-aliases` to configure aliases for server commands (#2229, #2236)
 * Added options to `roleplay` to customize the NUH's sent for `NPC` and `SCENE`. Roleplay remains deprecated and disabled by default. (#2237)
 ### Security
 * Mitigated HTTP DoS attacks by rejecting IRC sessions that begin with an HTTP verb, such as `POST`. If you were relying on this to create IRC sessions via an HTTP client, please open an issue. (#2239)
 ### Added
 * Added an HTTP API, providing programmatic access to Ergo functionality (#2231, thanks [@KlaasT](https://github.com/KlaasT)!)
 * Added SAFERATE to 005 ISUPPORT tokens (#2223, thanks [@delthas](https://github.com/delthas)!)
 * Added support for ed25519-sha256 for DKIM. However, enabling this algorithm is not recommended since mainstream email providers still do not support it. (#1041, #2242)
 ### Fixed
 * Fixed `CHATHISTORY TARGETS` from MySQL backend reporting incorrect timestamps when the server timezone is not UTC (#2224)
 * Fixed batch name parameter in `draft/isupport` responses (#2253)
 * Fixed `NS UNREGISTER` not deleting the stored push subscriptions (#2254)
 * Fixed cases where `NS SAREGISTER` could create clients without applying the default user modes (#2252, #2254, thanks donio!)
 * Improved validation of `CHATHISTORY` parameters (#2248, #2249, thanks [@prdes](https://github.com/prdes)!)
 * Added validation to ensure the MOTD is UTF-8 when `enforce-utf8` is enabled (the recommended default) (#2228, #2233, thanks [@KlaasT](https://github.com/KlaasT)!)
 * The client's own `QUIT` line now respects the `server-time` capability (#2218, #2219)
 * Fixed sending unnecessary replies to certain invalid `MODE` changes (#2213)
 * Improved safety of ISUPPORT length limits (#2241)
 ### Changed
 * The `draft/message-redaction` capability is no longer advertised when `allow-individual-delete` is disabled (#2215, #2216, thanks [@delthas](https://github.com/delthas)!)
 * Receiving the UTF-8 BOM (byte-order mark) at the start of an IRC connection now produces an explicit error (#2244, #2247, thanks [@csmith](https://github.com/csmith), [@Mailaender](https://github.com/Mailaender)!)
 ### Internal
 * Release builds use Go 1.24.3 (#2217)
 ## [2.15.0] - 2025-01-26
 We're pleased to be publishing v2.15.0, a new stable release. This release adds support for mobile push notifications, via the [draft/webpush](https://github.com/ircv3/ircv3-specifications/pull/471) specification. More information on this is available in the [manual](https://github.com/ergochat/ergo/blob/ab2d842b270d9df217c779df9c7a5c594d85fdd5/docs/MANUAL.md#push-notifications) and [user guide](https://github.com/ergochat/ergo/blob/ab2d842b270d9df217c779df9c7a5c594d85fdd5/docs/USERGUIDE.md#push-notifications). This feature is still considered to be in an experimental state; `default.yaml` ships with it disabled, and its configuration may have backwards-incompatible changes in the future.
 This release includes changes to the config file format, all of which are fully backwards-compatible and do not require updating the file before upgrading.
 This release includes a database change. If you have `datastore.autoupgrade` set to `true` in your configuration, it will be automatically applied when you restart Ergo. Otherwise, you can update the database manually by running `ergo upgradedb` (see the manual for complete instructions).
 Many thanks to [@delthas](https://github.com/delthas), [@donatj](https://github.com/donatj), donio, [@emersion](https://github.com/emersion), and [@eskimo](https://github.com/eskimo) for contributing patches and helping test.
 ### Config changes
 * Added `webpush` block to the config file to configure push notifications. See `default.yaml` for an example. Note that at this time, `default.yaml` ships with support for push notifications disabled; operators can enable them by setting `webpush.enabled: true`. In the absence of such a block, push notifications are disabled.
 * We recommend the addition of `"WEBPUSH": 1` to `fakelag.command-budgets`, to speed up mobile reattach when web push is enabled. See `default.yaml` for an example.
 ### Added
 * Added support for the [draft/webpush](https://github.com/ircv3/ircv3-specifications/pull/471) specification (#2205, thanks [@emersion](https://github.com/emersion), [@eskimo](https://github.com/eskimo)!)
 * Added support for the [draft/extended-isupport](https://github.com/ircv3/ircv3-specifications/pull/543) specification (#2184, thanks [@emersion](https://github.com/emersion)!)
 * `UBAN ADD` now accepts `REQUIRE-SASL` with NUH masks, i.e. k-lines (#2198, #2199)
 * Ergo now publishes the `SAFELIST` ISUPPORT parameter (#2196, thanks [@delthas](https://github.com/delthas)!)
 ### Fixed
 * Fixed incorrect parameters when pushing `005` (ISUPPORT) updates to clients on rehash (#2177, #2184)
 ### Internal
 * Official release builds use Go 1.23.5
 * Added a unique identifier to identify connections in debug logs. This has no privacy implications in a standard, non-debug configuration of Ergo. (#2206, thanks donio!)
 * Added support for Solaris on amd64 CPUs (#2183)
 ## [2.14.0] - 2024-06-30
 We're pleased to be publishing v2.14.0, a new stable release. This release contains primarily bug fixes, with the addition of some new authentication mechanisms for integrating with web clients.
 This release includes changes to the config file format, all of which are fully backwards-compatible and do not require updating the file before upgrading. It includes no changes to the database file format.
 Many thanks to [@al3xandros](https://github.com/al3xandros), donio, [@eeeeeta](https://github.com/eeeeeta), [@emersion](https://github.com/emersion), [@Eriner](https://github.com/Eriner), [@eskimo](https://github.com/eskimo), [@Herringway](https://github.com/Herringway), [@jwheare](https://github.com/jwheare), [@knolley](https://github.com/knolley), [@mengzhuo](https://github.com/mengzhuo), pathof, [@poVoq](https://github.com/poVoq), [@progval](https://github.com/progval), [@RNDpacman](https://github.com/RNDpacman), and [@xnaas](https://github.com/xnaas) for contributing patches, reporting issues, and helping test.
 ### Config changes
 * Added `accounts.oauth2` and `accounts.jwt-auth` blocks for configuring OAuth2 and JWT authentication (#2004)
@ -90,7 +23,6 @@ Many thanks to [@al3xandros](https://github.com/al3xandros), donio, [@eeeeeta](h
 * The new `ergo defaultconfig` subcommand prints a copy of the default config file to standard output (#2157, #2160, thanks [@al3xandros](https://github.com/al3xandros)!)
 ### Fixed
 * Even with `allow-truncation: false` (the recommended default), some oversized messages were being accepted and relayed with truncation. These messages will now be rejected with `417 ERR_INPUTTOOLONG` as expected (#2170)
 * NICK and QUIT from invisible members of auditorium channels are no longer recorded in history (#2133, #2137, thanks [@knolley](https://github.com/knolley) and [@poVoq](https://github.com/poVoq)!)
 * If channel registration was disabled, registered channels could become inaccessible after rehash; this has been fixed (#2130, thanks [@eeeeeta](https://github.com/eeeeeta)!)
 * Attempts to use unrecognized SASL mechanisms no longer count against the login throttle, improving compatibility with Pidgin (#2156, thanks donio and pathof!)
@ -108,7 +40,6 @@ Many thanks to [@al3xandros](https://github.com/al3xandros), donio, [@eeeeeta](h
 ### Internal
 * Official release builds use Go 1.22.4
 * Added a linux/riscv64 release (#2172, #2173, thanks [@mengzhuo](https://github.com/mengzhuo)!)
 ## [2.13.1] - 2024-05-06
--- a/2
+++ b/2
@ -1,5 +1,5 @@
 ## build ergo binary
-FROM docker.io/golang:1.24-alpine AS build-env
+FROM docker.io/golang:1.22-alpine AS build-env
 RUN apk upgrade -U --force-refresh --no-cache && apk add --no-cache --purge --clean-protected -l -u make git
--- a/13
+++ b/13
@ -1,3 +1,5 @@
 .PHONY: all install build release capdefs test smoke gofmt irctest
 GIT_COMMIT := $(shell git rev-parse HEAD 2> /dev/null)
 GIT_TAG := $(shell git tag --points-at HEAD 2> /dev/null | head -n 1)
@ -7,42 +9,33 @@ export CGO_ENABLED ?= 0
 capdef_file = ./irc/caps/defs.go
 .PHONY: all
 all: build
 .PHONY: install
 install:
 	go install -v -ldflags "-X main.commit=$(GIT_COMMIT) -X main.version=$(GIT_TAG)"
 .PHONY: build
 build:
 	go build -v -ldflags "-X main.commit=$(GIT_COMMIT) -X main.version=$(GIT_TAG)"
 .PHONY: release
 release:
-	goreleaser --skip=publish --clean
+	goreleaser --skip-publish --rm-dist
 .PHONY: capdefs
 capdefs:
 	python3 ./gencapdefs.py > ${capdef_file}
 .PHONY: test
 test:
 	python3 ./gencapdefs.py | diff - ${capdef_file}
 	go test ./...
 	go vet ./...
 	./.check-gofmt.sh
 .PHONY: smoke
 smoke: install
 	ergo mkcerts --conf ./default.yaml || true
 	ergo run --conf ./default.yaml --smoke
 .PHONY: gofmt
 gofmt:
 	./.check-gofmt.sh --fix
 .PHONY: irctest
 irctest: install
 	git submodule update --init
 	cd irctest && make ergo
--- a/default.yaml
+++ b/default.yaml
@ -100,7 +100,6 @@ server:
        max-connections-per-duration: 64
    # strict transport security, to get clients to automagically use TLS
    # (irrelevant in the recommended configuration, with no public plaintext listener)
    sts:
        # whether to advertise STS
        #
@ -376,17 +375,6 @@ server:
    # if you don't want to publicize how popular the server is
    suppress-lusers: false
    # publish additional key-value pairs in ISUPPORT (the 005 numeric).
    # keys that collide with a key published by Ergo will be silently ignored.
    additional-isupport:
        #"draft/FILEHOST": "https://example.com/filehost"
        #"draft/bazbat": "" # empty string means no value
    # optionally map command alias names to existing ergo commands. most deployments
    # should ignore this.
    #command-aliases:
        #"UMGEBUNG": "AMBIANCE"
 # account options
 accounts:
    # is account authentication enabled, i.e., can users log into existing accounts?
@ -522,7 +510,7 @@ accounts:
        # 1. these nicknames cannot be registered or reserved
        # 2. if a client is automatically renamed by the server,
        #    this is the template that will be used (e.g., Guest-nccj6rgmt97cg)
-        # 3. if force-guest-format (see below) is enabled, clients without
+        # 3. if enforce-guest-format (see below) is enabled, clients without
        #    a registered account will have this template applied to their
        #    nicknames (e.g., 'katie' will become 'Guest-katie')
        guest-nickname-format: "Guest-*"
@ -724,7 +712,6 @@ oper-classes:
            - "history"      # modify or delete history messages
            - "defcon"       # use the DEFCON command (restrict server capabilities)
            - "massmessage"  # message all users on the server
            - "metadata"     # modify arbitrary metadata on channels and users
 # ircd operators
 opers:
@ -789,7 +776,7 @@ logging:
        # be logged, even if you explicitly include it
        #
        # useful types include:
-        #   *               everything (usually used with excluding some types below)
+        #   *               everything (usually used with exclusing some types below)
        #   server          server startup, rehash, and shutdown events
        #   accounts        account registration and authentication
        #   channels        channel creation and operations
@ -833,7 +820,7 @@ lock-file: "ircd.lock"
 # datastore configuration
 datastore:
-    # path to the database file (used to store account and channel registrations):
+    # path to the datastore
    path: ircd.db
    # if the database schema requires an upgrade, `autoupgrade` will attempt to
@ -935,7 +922,6 @@ fakelag:
        "MARKREAD":    16
        "MONITOR":     1
        "WHO":         4
        "WEBPUSH":     1
 # the roleplay commands are semi-standardized extensions to IRC that allow
 # sending and receiving messages from pseudo-nicknames. this can be used either
@ -954,12 +940,6 @@ roleplay:
    # add the real nickname, in parentheses, to the end of every roleplay message?
    add-suffix: true
    # allow customizing the NUH's sent for NPC and SCENE commands
    # NPC: the first %s is the NPC name, the second is the user's real nick
    #npc-nick-mask: "*%s*!%s@npc.fakeuser.invalid"
    # SCENE: the %s is the client's real nick
    #scene-nick-mask: "=Scene=!%s@npc.fakeuser.invalid"
 # external services can integrate with the ircd using JSON Web Tokens (https://jwt.io).
 # in effect, the server can sign a token attesting that the client is present on
 # the server, is a member of a particular channel, etc.
@ -1087,51 +1067,3 @@ history:
 # whether to allow customization of the config at runtime using environment variables,
 # e.g., ERGO__SERVER__MAX_SENDQ=128k. see the manual for more details.
 allow-environment-overrides: true
 # metadata support for setting key/value data on channels and nicknames.
 metadata:
    # can clients store metadata?
    enabled: true
    # how many keys can a client subscribe to?
    max-subs: 100
    # how many keys can be stored per entity?
    max-keys: 100
 # experimental support for mobile push notifications
 # see the manual for potential security, privacy, and performance implications.
 # DO NOT enable if you are running a Tor or I2P hidden service (i.e. one
 # with no public IP listeners, only Tor/I2P listeners).
 webpush:
    # are push notifications enabled at all?
    enabled: false
    # request timeout for POST'ing the http notification
    timeout: 10s
    # delay sending the notification for this amount of time, then suppress it
    # if the client sent MARKREAD to indicate that it was read on another device
    delay: 0s
    # subscriber field for the VAPID JWT authorization:
    #subscriber: "https://your-website.com/"
    # maximum number of push subscriptions per user
    max-subscriptions: 4
    # expiration time for a push subscription; it must be renewed within this time
    # by the client reconnecting to IRC. we also detect whether the client is no longer
    # successfully receiving push messages.
    expiration: 14d
 # HTTP API. we strongly recommend leaving this disabled unless you have a specific
 # need for it.
 api:
    # is the API enabled at all?
    enabled: false
    # listen address:
    listener: "127.0.0.1:8089"
    # serve over TLS (strongly recommended if the listener is public):
    #tls:
        #cert: fullchain.pem
        #key: privkey.pem
    # one or more static bearer tokens accepted for HTTP bearer authentication.
    # these must be strong, unique, high-entropy printable ASCII strings.
    # to generate a new token, use `ergo gentoken` or:
    # python3 -c "import secrets; print(secrets.token_urlsafe(32))"
    bearer-tokens:
        - "example"
--- a/distrib/docker/README.md
+++ b/distrib/docker/README.md
@ -53,14 +53,14 @@ For example, to create a new docker volume and then mount it:
 ```shell
 docker volume create ergo-data
-docker run --init --name ergo -d -v ergo-data:/ircd -p 6667:6667 -p 6697:6697 ghcr.io/ergochat/ergo:stable
+docker run --init -d -v ergo-data:/ircd -p 6667:6667 -p 6697:6697 ghcr.io/ergochat/ergo:stable
 ```
 Or to mount a folder from your host machine:
 ```shell
 mkdir ergo-data
-docker run --init --name ergo -d -v $(pwd)/ergo-data:/ircd -p 6667:6667 -p 6697:6697 ghcr.io/ergochat/ergo:stable
+docker run --init -d -v $(PWD)/ergo-data:/ircd -p 6667:6667 -p 6697:6697 ghcr.io/ergochat/ergo:stable
 ```
 ## Customising the config
@ -85,8 +85,8 @@ docker kill -s SIGHUP ergo
 ## Using custom TLS certificates
-TLS certs will by default be read from /ircd/fullchain.pem, with a private key
+TLS certs will by default be read from /ircd/tls.crt, with a private key
-in /ircd/privkey.pem. You can customise this path in the ircd.yaml file if
+in /ircd/tls.key. You can customise this path in the ircd.yaml file if
 you wish to mount the certificates from another volume. For information
 on using Let's Encrypt certificates, see
 [this manual entry](https://github.com/ergochat/ergo/blob/master/docs/MANUAL.md#using-valid-tls-certificates).
--- a/docs/API.md
+++ b/docs/API.md
@ -1,124 +0,0 @@
         __ __  ______ ___  ______ ___ 
      __/ // /_/ ____/ __ \/ ____/ __ \
     /_  // __/ __/ / /_/ / / __/ / / /
    /_  // __/ /___/ _, _/ /_/ / /_/ / 
     /_//_/ /_____/_/ |_|\____/\____/  
        Ergo IRCd API Documentation
            https://ergo.chat/
 _Copyright © Daniel Oaks <daniel@danieloaks.net>, Shivaram Lingamneni <slingamn@cs.stanford.edu>_
 --------------------------------------------------------------------------------------------
 Ergo has an experimental HTTP API. Some general information about the API:
 1. All requests to the API are via POST.
 1. All requests to the API are authenticated via bearer authentication. This is a header named `Authorization` with the value `Bearer <token>`. A list of valid tokens is hardcoded in the Ergo config. Future versions of Ergo may allow additional validation schemes for tokens.
 1. The request parameters are sent as JSON in the POST body.
 1. Any status code other than 200 is an error response; the response body is undefined in this case (likely human-readable text for debugging).
 1. A 200 status code indicates successful execution of the request. The response body will be JSON and may indicate application-level success or failure (typically via the `success` field, which takes a boolean value).
 API endpoints are versioned (currently all endpoints have a `/v1/` path prefix). Backwards-incompatible updates will most likely take the form of endpoints with new names, or an increased version prefix. Any exceptions to this will be specifically documented in the changelog.
 All API endpoints should be considered highly privileged. Bearer tokens should be kept secret. Access to the API should be either over a trusted link (like loopback) or secured via verified TLS. See the `api` section of `default.yaml` for examples of how to configure this.
 Here's an example of how to test an API configured to run over loopback TCP in plaintext:
 ```bash
 curl -d '{"accountName": "invalidaccountname", "passphrase": "invalidpassphrase"}' -H 'Authorization: Bearer EYBbXVilnumTtfn4A9HE8_TiKLGWEGylre7FG6gEww0' -v http://127.0.0.1:8089/v1/check_auth
 ```
 This returns:
 ```json
 {"success":false}
 ```
 Endpoints
 =========
 `/v1/account_details`
 ----------------
 This endpoint fetches account details and returns them as JSON. The request is a JSON object with fields:
 * `accountName`: string, name of the account
 The response is a JSON object with fields:
 * `success`: whether the account exists or not
 * `accountName`: canonical, case-unfolded version of the account name
 * `email`: email address of the account provided
 * `registeredAt`: string, registration date/time of the account (in ISO8601 format)
 * `channels`: array of strings, list of channels the account is registered on or associated with
 `/v1/check_auth`
 ----------------
 This endpoint verifies the credentials of a NickServ account; this allows Ergo to be used as the source of truth for authentication by another system. The request is a JSON object with fields:
 * `accountName`: string, name of the account
 * `passphrase`: string, alleged passphrase of the account
 The response is a JSON object with fields:
 * `success`: whether the credentials provided were valid
 * `accountName`: canonical, case-unfolded version of the account name
 `/v1/rehash`
 ------------
 This endpoint rehashes the server (i.e. reloads the configuration file, TLS certificates, and other associated data). The body is ignored. The response is a JSON object with fields:
 * `success`: boolean, indicates whether the rehash was successful
 * `error`: string, optional, human-readable description of the failure
 `/v1/saregister`
 ----------------
 This endpoint registers an account in NickServ, with the same semantics as `NS SAREGISTER`. The request is a JSON object with fields:
 * `accountName`: string, name of the account
 * `passphrase`: string, passphrase of the account
 The response is a JSON object with fields:
 * `success`: whether the account creation succeeded
 * `errorCode`: string, optional, machine-readable description of the error. Possible values include: `ACCOUNT_EXISTS`, `INVALID_PASSPHRASE`, `UNKNOWN_ERROR`.
 * `error`: string, optional, human-readable description of the failure.
 `/v1/account_list`
 -------------------
 This endpoint fetches a list of all accounts. The request body is ignored and can be empty.
 The response is a JSON object with fields:
 * `success`: whether the request succeeded
 * `accounts`: array of objects, each with fields:
  * `success`: boolean, whether this individual account query succeeded
  * `accountName`: string, canonical, case-unfolded version of the account name
 * `totalCount`: integer, total number of accounts returned
 `/v1/status`
 -------------
 This endpoint returns status information about the running Ergo server. The request body is ignored and can be empty.
 The response is a JSON object with fields:
 * `success`: whether the request succeeded
 * `version`: string, Ergo server version string
 * `go_version`: string, version of Go runtime used
 * `start_time`: string, server start time in ISO8601 format
 * `users`: object with fields:
  * `total`: total number of users connected
  * `invisible`: number of invisible users
  * `operators`: number of operators connected
  * `unknown`: number of users with unknown status
  * `max`: maximum number of users seen connected at once
 * `channels`: integer, number of channels currently active
 * `servers`: integer, number of servers connected in the network
--- a/docs/MANUAL.md
+++ b/docs/MANUAL.md
@ -44,7 +44,6 @@ _Copyright © Daniel Oaks <daniel@danieloaks.net>, Shivaram Lingamneni <slingamn
    - [Persistent history with MySQL](#persistent-history-with-mysql)
    - [IP cloaking](#ip-cloaking)
    - [Moderation](#moderation)
    - [Push notifications](#push-notifications)
 - [Frequently Asked Questions](#frequently-asked-questions)
 - [IRC over TLS](#irc-over-tls)
    - [Redirect from plaintext to TLS](#how-can-i-redirect-users-from-plaintext-to-tls)
@ -63,7 +62,6 @@ _Copyright © Daniel Oaks <daniel@danieloaks.net>, Shivaram Lingamneni <slingamn
    - [Tor](#tor)
    - [I2P](#i2p)
    - [ZNC](#znc)
    - [API](#api)
    - [External authentication systems](#external-authentication-systems)
    - [DNSBLs and other IP checking systems](#dnsbls-and-other-ip-checking-systems)
 - [Acknowledgements](#acknowledgements)
@ -485,19 +483,6 @@ These techniques require operator privileges: `UBAN` requires the `ban` operator
 For channel operators, `/msg ChanServ HOWTOBAN #channel nickname` will provide similar information about the best way to ban a user from a channel.
 ## Push notifications
 Ergo now has experimental support for push notifications via the [draft/webpush](https://github.com/ircv3/ircv3-specifications/pull/471) IRCv3 specification. Support for push notifications is disabled by default; operators can enable it by setting `webpush.enabled` to `true` in the configuration file. This has security, privacy, and performance implications:
 * If push notifications are enabled, Ergo will send HTTP POST requests to HTTP endpoints of the user's choosing. Although the user has limited control over the POST body (since it is encrypted with random key material), and Ergo disallows requests to local or internal IP addresses, this may potentially impact the IP reputation of the Ergo host, or allow an attacker to probe endpoints that whitelist the Ergo host's IP address.
 * Push notifications result in the disclosure of metadata (that the user received a message, and the approximate time of the message) to third-party messaging infrastructure. In the typical case, this will include a push endpoint controlled by the application vendor, plus the push infrastructure controlled by Apple or Google.
 * The message contents (including the sender's identity) are protected by [encryption](https://datatracker.ietf.org/doc/html/rfc8291) between the server and the user's endpoint device. However, the encryption algorithm is not forward-secret (a long-term private key is stored on the user's device) or post-quantum (the server retains a copy of the corresponding elliptic curve public key).
 * Push notifications are relatively expensive to process, and may increase the impact of spam or denial-of-service attacks on the Ergo server.
 * Push notifications negate the anonymization provided by Tor and I2P; an Ergo instance intended to run as a Tor onion service ("hidden service") or exclusively behind an I2P address must disable them in the Ergo configuration file.
 Operators and end users are invited to share feedback about push notifications, either via the project issue tracker or the support channel. Note that in order to receive push notifications, the user must be logged in with always-on enabled, and must be using a client (e.g. Goguma) that supports them.
 -------------------------------------------------------------------------------------------
@ -1136,7 +1121,6 @@ Tor provides end-to-end encryption for onion services, so there's no need to ena
 The second way is to run Ergo as a true hidden service, where the server's actual IP address is a secret. This requires hardening measures on the Ergo side:
 * Ergo should not accept any connections on its public interfaces. You should remove any listener that starts with the address of a public interface, or with `:`, which means "listen on all available interfaces". You should listen only on `127.0.0.1:6667` and a Unix domain socket such as `/hidden_service_sockets/ergo_tor_sock`.
 * Push notifications will reveal the server's true IP address, so they must be disabled; set `webpush.enabled` to `false`.
 * In this mode, it is especially important that all operator passwords are strong and all operators are trusted (operators have a larger attack surface to deanonymize the server).
 * Onion services are at risk of being deanonymized if a client can trick the server into performing a non-Tor network request. Ergo should not perform any such requests (such as hostname resolution or ident lookups) in response to input received over a correctly configured Tor listener. However, Ergo has not been thoroughly audited against such deanonymization attacks --- therefore, Ergo should be deployed with additional sandboxing to protect against this:
  * Ergo should run with no direct network connectivity, e.g., by running in its own Linux network namespace. systemd implements this with the [PrivateNetwork](https://www.freedesktop.org/software/systemd/man/systemd.exec.html) configuration option: add `PrivateNetwork=true` to Ergo's systemd unit file.
@ -1176,10 +1160,6 @@ ZNC 1.6.x (still pretty common in distros that package old versions of IRC softw
 Ergo can emulate certain capabilities of the ZNC bouncer for the benefit of clients, in particular the third-party [playback](https://wiki.znc.in/Playback) module. This enables clients with specific support for ZNC to receive selective history playback automatically. To configure this in [Textual](https://www.codeux.com/textual/), go to "Server properties", select "Vendor specific", uncheck "Do not automatically join channels on connect", and check "Only play back messages you missed". Other clients with support are listed on ZNC's wiki page.
 ## API
 Ergo offers an HTTP API that can be used to control Ergo, or to allow other applications to use Ergo as a source of truth for authentication. The API is documented separately; see [API.md](https://github.com/ergochat/ergo/blob/stable/docs/API.md) on the website, or the `API.md` file that was bundled with your release.
 ## External authentication systems
 Ergo can be configured to call arbitrary scripts to authenticate users; see the `auth-script` section of the config. The API for these scripts is as follows: Ergo will invoke the script with a configurable set of arguments, then send it the authentication data as JSON on the first line (`\n`-terminated) of stdin. The input is a JSON dictionary with the following keys:
--- a/docs/USERGUIDE.md
+++ b/docs/USERGUIDE.md
@ -23,7 +23,6 @@ _Copyright © Daniel Oaks <daniel@danieloaks.net>, Shivaram Lingamneni <slingamn
 - [Always-on](#always-on)
 - [Multiclient](#multiclient)
 - [History](#history)
 - [Push notifications](#push-notifications)
 --------------------------------------------------------------------------------------------
@ -86,7 +85,7 @@ Once you've registered your nickname, you can use it to register channels. By de
 /msg ChanServ register #myChannel
 ```
-The channel must exist (if it doesn't, you can create it with `/join #myChannel`) and you must already be an operator (have the `+o` channel mode --- your client may display this as an `@` next to your nickname). If you're not a channel operator in the channel you want to register, ask your server administrator for help.
+You must already be an operator (have the `+o` channel mode --- your client may display this as an `@` next to your nickname). If you're not a channel operator in the channel you want to register, ask your server administrator for help.
 # Always-on
@ -122,7 +121,3 @@ If you have registered a channel, you can make it private. The best way to do th
 1. Identify the users you want to be able to access the channel. Ensure that they have registered their accounts (you should be able to see their registration status if you `/WHOIS` their nicknames).
 1. Add the desired nick/account names to the invite exception list (`/mode #example +I alice`) or give them persistent voice (`/msg ChanServ AMODE #example +v alice`)
 1. If you want to grant a persistent channel privilege to a user, you can do it with `CS AMODE` (`/msg ChanServ AMODE #example +o bob`)
 # Push notifications
 Ergo has experimental support for mobile push notifications. The server operator must enable this functionality; to check whether this is the case, you can send `/msg NickServ push list`. You must additionally be using a client (e.g. Goguma) that supports the functionality, and your account must be set to always-on (`/msg NickServ set always-on true`, as described above).
--- a/ergo.go
+++ b/ergo.go
@ -21,7 +21,6 @@ import (
 	"github.com/ergochat/ergo/irc"
 	"github.com/ergochat/ergo/irc/logger"
 	"github.com/ergochat/ergo/irc/mkcerts"
 	"github.com/ergochat/ergo/irc/utils"
 )
 // set via linker flags, either by make or by goreleaser:
@ -100,7 +99,6 @@ Usage:
 	ergo genpasswd [--conf <filename>] [--quiet]
 	ergo mkcerts [--conf <filename>] [--quiet]
 	ergo defaultconfig
 	ergo gentoken
 	ergo run [--conf <filename>] [--quiet] [--smoke]
 	ergo -h | --help
 	ergo --version
@ -143,9 +141,6 @@ Options:
 	} else if arguments["defaultconfig"].(bool) {
 		fmt.Print(defaultConfig)
 		return
 	} else if arguments["gentoken"].(bool) {
 		fmt.Println(utils.GenerateSecretKey())
 		return
 	} else if arguments["mkcerts"].(bool) {
 		doMkcerts(arguments["--conf"].(string), arguments["--quiet"].(bool))
 		return
@ -193,7 +188,7 @@ Options:
 		// warning if running a non-final version
 		if strings.Contains(irc.Ver, "unreleased") {
-			logman.Warning("server", "You are currently running an unreleased beta version of Ergo that may be unstable and could corrupt your database.\nIf you are running a production network, please download the latest build from https://ergo.chat/about and run that instead.")
+			logman.Warning("server", "You are currently running an unreleased beta version of Ergo that may be unstable and could corrupt your database.\nIf you are running a production network, please download the latest build from https://ergo.chat/downloads.html and run that instead.")
 		}
 		server, err := irc.NewServer(config, logman)
--- a/gencapdefs.py
+++ b/gencapdefs.py
@ -219,31 +219,6 @@ CAPDEFS = [
        url="https://github.com/ircv3/ircv3-specifications/pull/527",
        standard="proposed IRCv3",
    ),
   CapDef(
        identifier="ExtendedISupport",
        name="draft/extended-isupport",
        url="https://github.com/ircv3/ircv3-specifications/pull/543",
        standard="proposed IRCv3",
    ),
   CapDef(
        identifier="WebPush",
        name="draft/webpush",
        url="https://github.com/ircv3/ircv3-specifications/pull/471",
        standard="proposed IRCv3",
    ),
   CapDef(
        identifier="SojuWebPush",
        name="soju.im/webpush",
        url="https://github.com/ircv3/ircv3-specifications/pull/471",
        standard="Soju/Goguma vendor",
    ),
    CapDef(
        identifier="Metadata",
        name="draft/metadata-2",
        url="https://ircv3.net/specs/extensions/metadata",
        standard="draft IRCv3",
    ),
 ]
 def validate_defs():
--- a/go.mod
+++ b/go.mod
@ -1,6 +1,6 @@
 module github.com/ergochat/ergo
-go 1.24
+go 1.22
 require (
 	code.cloudfoundry.org/bytefmt v0.0.0-20200131002437-cf55d5288a48
@ -8,27 +8,25 @@ require (
 	github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815
 	github.com/ergochat/confusables v0.0.0-20201108231250-4ab98ab61fb1
 	github.com/ergochat/go-ident v0.0.0-20230911071154-8c30606d6881
-	github.com/ergochat/irc-go v0.5.0-rc2
+	github.com/ergochat/irc-go v0.5.0-rc1
 	github.com/go-sql-driver/mysql v1.7.0
 	github.com/go-test/deep v1.0.6 // indirect
 	github.com/gofrs/flock v0.8.1
 	github.com/gorilla/websocket v1.4.2
 	github.com/okzk/sdnotify v0.0.0-20180710141335-d9becc38acbd
 	github.com/onsi/ginkgo v1.12.0 // indirect
 	github.com/onsi/gomega v1.9.0 // indirect
 	github.com/stretchr/testify v1.4.0 // indirect
-	github.com/tidwall/buntdb v1.3.2
+	github.com/tidwall/buntdb v1.2.10
 	github.com/toorop/go-dkim v0.0.0-20201103131630-e1cd1a0a5208
 	github.com/xdg-go/scram v1.0.2
-	golang.org/x/crypto v0.38.0
+	golang.org/x/crypto v0.17.0
-	golang.org/x/term v0.32.0
+	golang.org/x/term v0.15.0
-	golang.org/x/text v0.25.0
+	golang.org/x/text v0.14.0
 	gopkg.in/yaml.v2 v2.4.0
 )
-require (
+require github.com/golang-jwt/jwt/v5 v5.2.0
 	github.com/emersion/go-msgauth v0.7.0
 	github.com/ergochat/webpush-go/v2 v2.0.0
 	github.com/golang-jwt/jwt/v5 v5.2.2
 )
 require (
 	github.com/tidwall/btree v1.4.2 // indirect
@ -39,7 +37,7 @@ require (
 	github.com/tidwall/rtred v0.1.2 // indirect
 	github.com/tidwall/tinyqueue v0.1.1 // indirect
 	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
 )
 replace github.com/gorilla/websocket => github.com/ergochat/websocket v1.4.2-oragono1
--- a/go.sum
+++ b/go.sum
@ -6,29 +6,27 @@ github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815 h1:bWDMxwH3px2JBh6AyO7hdCn/PkvCZXii8TGj7sbtEbQ=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/emersion/go-msgauth v0.6.8 h1:kW/0E9E8Zx5CdKsERC/WnAvnXvX7q9wTHia1OA4944A=
 github.com/emersion/go-msgauth v0.6.8/go.mod h1:YDwuyTCUHu9xxmAeVj0eW4INnwB6NNZoPdLerpSxRrc=
 github.com/emersion/go-msgauth v0.7.0 h1:vj2hMn6KhFtW41kshIBTXvp6KgYSqpA/ZN9Pv4g1INc=
 github.com/emersion/go-msgauth v0.7.0/go.mod h1:mmS9I6HkSovrNgq0HNXTeu8l3sRAAuQ9RMvbM4KU7Ck=
 github.com/ergochat/confusables v0.0.0-20201108231250-4ab98ab61fb1 h1:WLHTOodthVyv5NvYLIvWl112kSFv5IInKKrRN2qpons=
 github.com/ergochat/confusables v0.0.0-20201108231250-4ab98ab61fb1/go.mod h1:mov+uh1DPWsltdQnOdzn08UO9GsJ3MEvhtu0Ci37fdk=
 github.com/ergochat/go-ident v0.0.0-20230911071154-8c30606d6881 h1:+J5m88nvybxB5AnBVGzTXM/yHVytt48rXBGcJGzSbms=
 github.com/ergochat/go-ident v0.0.0-20230911071154-8c30606d6881/go.mod h1:ASYJtQujNitna6cVHsNQTGrfWvMPJ5Sa2lZlmsH65uM=
-github.com/ergochat/irc-go v0.5.0-rc2 h1:VuSQJF5K4hWvYSzGa4b8vgL6kzw8HF6LSOejE+RWpAo=
+github.com/ergochat/irc-go v0.4.0 h1:0YibCKfAAtwxQdNjLQd9xpIEPisLcJ45f8FNsMHAuZc=
-github.com/ergochat/irc-go v0.5.0-rc2/go.mod h1:2vi7KNpIPWnReB5hmLpl92eMywQvuIeIIGdt/FQCph0=
+github.com/ergochat/irc-go v0.4.0/go.mod h1:2vi7KNpIPWnReB5hmLpl92eMywQvuIeIIGdt/FQCph0=
 github.com/ergochat/irc-go v0.5.0-rc1 h1:kFoIHExoNFQ2CV+iShAVna/H4xrXQB4t4jK5Sep2j9k=
 github.com/ergochat/irc-go v0.5.0-rc1/go.mod h1:2vi7KNpIPWnReB5hmLpl92eMywQvuIeIIGdt/FQCph0=
 github.com/ergochat/scram v1.0.2-ergo1 h1:2bYXiRFQH636pT0msOG39fmEYl4Eq+OuutcyDsCix/g=
 github.com/ergochat/scram v1.0.2-ergo1/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs=
 github.com/ergochat/webpush-go/v2 v2.0.0 h1:n6eoJk8RpzJFeBJ6gxvqo/dngnVEmJbzJwzKtCZbByo=
 github.com/ergochat/webpush-go/v2 v2.0.0/go.mod h1:OQlhnq8JeHDzRzAy6bdDObr19uqbHliOV+z7mHbYr4c=
 github.com/ergochat/websocket v1.4.2-oragono1 h1:plMUunFBM6UoSCIYCKKclTdy/TkkHfUslhOfJQzfueM=
 github.com/ergochat/websocket v1.4.2-oragono1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/go-sql-driver/mysql v1.7.0 h1:ueSltNNllEqE3qcWBTD0iQd3IpL/6U+mJxLkazJ7YPc=
 github.com/go-sql-driver/mysql v1.7.0/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
 github.com/go-test/deep v1.0.6 h1:UHSEyLZUwX9Qoi99vVwvewiMC8mM2bf7XEM2nqvzEn8=
 github.com/go-test/deep v1.0.6/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8=
 github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw=
 github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
-github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw=
-github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
@ -49,8 +47,8 @@ github.com/tidwall/assert v0.1.0 h1:aWcKyRBUAdLoVebxo95N7+YZVTFF/ASTr7BN4sLP6XI=
 github.com/tidwall/assert v0.1.0/go.mod h1:QLYtGyeqse53vuELQheYl9dngGCJQ+mTtlxcktb+Kj8=
 github.com/tidwall/btree v1.4.2 h1:PpkaieETJMUxYNADsjgtNRcERX7mGc/GP2zp/r5FM3g=
 github.com/tidwall/btree v1.4.2/go.mod h1:LGm8L/DZjPLmeWGjv5kFrY8dL4uVhMmzmmLYmsObdKE=
-github.com/tidwall/buntdb v1.3.2 h1:qd+IpdEGs0pZci37G4jF51+fSKlkuUTMXuHhXL1AkKg=
+github.com/tidwall/buntdb v1.2.10 h1:U/ebfkmYPBnyiNZIirUiWFcxA/mgzjbKlyPynFsPtyM=
-github.com/tidwall/buntdb v1.3.2/go.mod h1:lZZrZUWzlyDJKlLQ6DKAy53LnG7m5kHyrEHvvcDmBpU=
+github.com/tidwall/buntdb v1.2.10/go.mod h1:lZZrZUWzlyDJKlLQ6DKAy53LnG7m5kHyrEHvvcDmBpU=
 github.com/tidwall/gjson v1.12.1/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/gjson v1.14.3 h1:9jvXn7olKEHU1S9vwoMGliaT8jq1vJ7IH/n9zD9Dnlw=
 github.com/tidwall/gjson v1.14.3/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
@ -66,34 +64,28 @@ github.com/tidwall/rtred v0.1.2 h1:exmoQtOLvDoO8ud++6LwVsAMTu0KPzLTUrMln8u1yu8=
 github.com/tidwall/rtred v0.1.2/go.mod h1:hd69WNXQ5RP9vHd7dqekAz+RIdtfBogmglkZSRxCHFQ=
 github.com/tidwall/tinyqueue v0.1.1 h1:SpNEvEggbpyN5DIReaJ2/1ndroY8iyEGxPYxoSaymYE=
 github.com/tidwall/tinyqueue v0.1.1/go.mod h1:O/QNHwrnjqr6IHItYrzoHAKYhBkLI67Q096fQP5zMYw=
 github.com/toorop/go-dkim v0.0.0-20201103131630-e1cd1a0a5208 h1:PM5hJF7HVfNWmCjMdEfbuOBNXSVF2cMFGgQTPdKCbwM=
 github.com/toorop/go-dkim v0.0.0-20201103131630-e1cd1a0a5208/go.mod h1:BzWtXXrXzZUvMacR0oF/fbDDgUPO8L36tDMmRAf14ns=
 github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
 github.com/xdg-go/stringprep v1.0.2 h1:6iq84/ryjjeRmMJwxutI51F2GIPlP5BfTvXHeYjyhBc=
 github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM=
-golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
+golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
-golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
+golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
 golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
+golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
-golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
-golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
 golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
 golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
 golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
 golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
 golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/irc/accounts.go
+++ b/irc/accounts.go
@ -51,7 +51,6 @@ const (
 	// for an always-on client, a map of channel names they're in to their current modes
 	// (not to be confused with their amodes, which a non-always-on client can have):
 	keyAccountChannelToModes = "account.channeltomodes %s"
 	keyAccountPushSubscriptions = "account.pushsubscriptions %s"
 	maxCertfpsPerAccount = 5
 )
@ -136,7 +135,6 @@ func (am *AccountManager) createAlwaysOnClients(config *Config) {
 				am.loadTimeMap(keyAccountReadMarkers, accountName),
 				am.loadModes(accountName),
 				am.loadRealname(accountName),
 				am.loadPushSubscriptions(accountName),
 			)
 		}
 	}
@ -717,40 +715,6 @@ func (am *AccountManager) loadRealname(account string) (realname string) {
 	return
 }
 func (am *AccountManager) savePushSubscriptions(account string, subs []storedPushSubscription) {
 	j, err := json.Marshal(subs)
 	if err != nil {
 		am.server.logger.Error("internal", "error storing push subscriptions", err.Error())
 		return
 	}
 	val := string(j)
 	key := fmt.Sprintf(keyAccountPushSubscriptions, account)
 	am.server.store.Update(func(tx *buntdb.Tx) error {
 		tx.Set(key, val, nil)
 		return nil
 	})
 	return
 }
 func (am *AccountManager) loadPushSubscriptions(account string) (result []storedPushSubscription) {
 	key := fmt.Sprintf(keyAccountPushSubscriptions, account)
 	var val string
 	am.server.store.View(func(tx *buntdb.Tx) error {
 		val, _ = tx.Get(key)
 		return nil
 	})
 	if val == "" {
 		return nil
 	}
 	if err := json.Unmarshal([]byte(val), &result); err == nil {
 		return result
 	} else {
 		am.server.logger.Error("internal", "error loading push subscriptions", err.Error())
 		return nil
 	}
 }
 func (am *AccountManager) addRemoveCertfp(account, certfp string, add bool, hasPrivs bool) (err error) {
 	certfp, err = utils.NormalizeCertfp(certfp)
 	if err != nil {
@ -986,7 +950,7 @@ func (am *AccountManager) Verify(client *Client, account string, code string, ad
 	if client != nil {
 		am.Login(client, clientAccount)
 		if client.AlwaysOn() {
-			client.markDirty(IncludeAllAttrs)
+			client.markDirty(IncludeRealname)
 		}
 	}
 	// we may need to do nick enforcement here:
@ -1157,7 +1121,7 @@ func (am *AccountManager) NsSendpass(client *Client, accountName string) (err er
 	message := email.ComposeMail(config.Accounts.Registration.EmailVerification, account.Settings.Email, subject)
 	fmt.Fprintf(&message, client.t("We received a request to reset your password on %[1]s for account: %[2]s"), am.server.name, account.Name)
 	message.WriteString("\r\n")
-	message.WriteString(client.t("If you did not initiate this request, you can safely ignore this message."))
+	fmt.Fprintf(&message, client.t("If you did not initiate this request, you can safely ignore this message."))
 	message.WriteString("\r\n")
 	message.WriteString("\r\n")
 	message.WriteString(client.t("Otherwise, to reset your password, issue the following command (replace `new_password` with your desired password):"))
@ -1879,7 +1843,6 @@ func (am *AccountManager) Unregister(account string, erase bool) error {
 	suspendedKey := fmt.Sprintf(keyAccountSuspended, casefoldedAccount)
 	pwResetKey := fmt.Sprintf(keyAccountPwReset, casefoldedAccount)
 	emailChangeKey := fmt.Sprintf(keyAccountEmailChange, casefoldedAccount)
 	pushSubscriptionsKey := fmt.Sprintf(keyAccountPushSubscriptions, casefoldedAccount)
 	var clients []*Client
 	defer func() {
@ -1938,7 +1901,6 @@ func (am *AccountManager) Unregister(account string, erase bool) error {
 		tx.Delete(suspendedKey)
 		tx.Delete(pwResetKey)
 		tx.Delete(emailChangeKey)
 		tx.Delete(pushSubscriptionsKey)
 		return nil
 	})
--- a/irc/api.go
+++ b/irc/api.go
@ -1,311 +0,0 @@
 package irc
 import (
 	"crypto/subtle"
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"runtime"
 	"strings"
 	"github.com/ergochat/ergo/irc/utils"
 )
 func newAPIHandler(server *Server) http.Handler {
 	api := &ergoAPI{
 		server: server,
 		mux:    http.NewServeMux(),
 	}
 	api.mux.HandleFunc("POST /v1/rehash", api.handleRehash)
 	api.mux.HandleFunc("POST /v1/check_auth", api.handleCheckAuth)
 	api.mux.HandleFunc("POST /v1/saregister", api.handleSaregister)
 	api.mux.HandleFunc("POST /v1/account_details", api.handleAccountDetails)
 	api.mux.HandleFunc("POST /v1/account_list", api.handleAccountList)
 	api.mux.HandleFunc("POST /v1/status", api.handleStatus)
 	return api
 }
 type ergoAPI struct {
 	server *Server
 	mux    *http.ServeMux
 }
 func (a *ergoAPI) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	defer a.server.HandlePanic(nil)
 	defer a.server.logger.Debug("api", r.URL.Path)
 	if a.checkBearerAuth(r.Header.Get("Authorization")) {
 		a.mux.ServeHTTP(w, r)
 	} else {
 		http.Error(w, "Unauthorized", http.StatusUnauthorized)
 	}
 }
 func (a *ergoAPI) checkBearerAuth(authHeader string) (authorized bool) {
 	if authHeader == "" {
 		return false
 	}
 	c := a.server.Config()
 	if !c.API.Enabled {
 		return false
 	}
 	spaceIdx := strings.IndexByte(authHeader, ' ')
 	if spaceIdx < 0 {
 		return false
 	}
 	if !strings.EqualFold("Bearer", authHeader[:spaceIdx]) {
 		return false
 	}
 	providedTokenBytes := []byte(authHeader[spaceIdx+1:])
 	for _, tokenBytes := range c.API.bearerTokenBytes {
 		if subtle.ConstantTimeCompare(tokenBytes, providedTokenBytes) == 1 {
 			return true
 		}
 	}
 	return false
 }
 func (a *ergoAPI) decodeJSONRequest(request any, w http.ResponseWriter, r *http.Request) (err error) {
 	err = json.NewDecoder(r.Body).Decode(request)
 	if err != nil {
 		http.Error(w, fmt.Sprintf("failed to deserialize json request: %v", err), http.StatusBadRequest)
 	}
 	return err
 }
 func (a *ergoAPI) writeJSONResponse(response any, w http.ResponseWriter, r *http.Request) {
 	j, err := json.Marshal(response)
 	if err == nil {
 		j = append(j, '\n') // less annoying in curl output
 		w.Header().Set("Content-Type", "application/json")
 		w.WriteHeader(http.StatusOK)
 		w.Write(j)
 	} else {
 		a.server.logger.Error("internal", "failed to serialize API response", r.URL.Path, err.Error())
 		http.Error(w, fmt.Sprintf("failed to serialize json response: %v", err), http.StatusInternalServerError)
 	}
 }
 type apiGenericResponse struct {
 	Success   bool   `json:"success"`
 	Error     string `json:"error,omitempty"`
 	ErrorCode string `json:"errorCode,omitempty"`
 }
 func (a *ergoAPI) handleRehash(w http.ResponseWriter, r *http.Request) {
 	var response apiGenericResponse
 	err := a.server.rehash()
 	if err == nil {
 		response.Success = true
 	} else {
 		response.Success = false
 		response.Error = err.Error()
 	}
 	a.writeJSONResponse(response, w, r)
 }
 type apiCheckAuthResponse struct {
 	apiGenericResponse
 	AccountName string `json:"accountName,omitempty"`
 }
 func (a *ergoAPI) handleCheckAuth(w http.ResponseWriter, r *http.Request) {
 	var request AuthScriptInput
 	if err := a.decodeJSONRequest(&request, w, r); err != nil {
 		return
 	}
 	var response apiCheckAuthResponse
 	// try passphrase if present
 	if request.AccountName != "" && request.Passphrase != "" {
 		account, err := a.server.accounts.checkPassphrase(request.AccountName, request.Passphrase)
 		switch err {
 		case nil:
 			// success, no error
 			response.Success = true
 			response.AccountName = account.Name
 		case errAccountDoesNotExist, errAccountInvalidCredentials, errAccountUnverified, errAccountSuspended:
 			// fail, no error
 			response.Success = false
 		default:
 			response.Success = false
 			response.Error = err.Error()
 		}
 	}
 	// try certfp if present
 	if !response.Success && request.Certfp != "" {
 		// TODO support cerftp
 	}
 	a.writeJSONResponse(response, w, r)
 }
 type apiSaregisterRequest struct {
 	AccountName string `json:"accountName"`
 	Passphrase  string `json:"passphrase"`
 }
 func (a *ergoAPI) handleSaregister(w http.ResponseWriter, r *http.Request) {
 	var request apiSaregisterRequest
 	if err := a.decodeJSONRequest(&request, w, r); err != nil {
 		return
 	}
 	var response apiGenericResponse
 	err := a.server.accounts.SARegister(request.AccountName, request.Passphrase)
 	if err == nil {
 		response.Success = true
 	} else {
 		response.Success = false
 		response.Error = err.Error()
 		switch err {
 		case errAccountAlreadyRegistered, errAccountAlreadyVerified, errNameReserved:
 			response.ErrorCode = "ACCOUNT_EXISTS"
 		case errAccountBadPassphrase:
 			response.ErrorCode = "INVALID_PASSPHRASE"
 		default:
 			response.ErrorCode = "UNKNOWN_ERROR"
 		}
 	}
 	a.writeJSONResponse(response, w, r)
 }
 type apiAccountDetailsResponse struct {
 	apiGenericResponse
 	AccountName  string   `json:"accountName,omitempty"`
 	Email        string   `json:"email,omitempty"`
 	RegisteredAt string   `json:"registeredAt,omitempty"`
 	Channels     []string `json:"channels,omitempty"`
 }
 type apiAccountDetailsRequest struct {
 	AccountName string `json:"accountName"`
 }
 func (a *ergoAPI) handleAccountDetails(w http.ResponseWriter, r *http.Request) {
 	var request apiAccountDetailsRequest
 	if err := a.decodeJSONRequest(&request, w, r); err != nil {
 		return
 	}
 	var response apiAccountDetailsResponse
 	if request.AccountName != "" {
 		accountData, err := a.server.accounts.LoadAccount(request.AccountName)
 		if err == nil {
 			if !accountData.Verified {
 				err = errAccountUnverified
 			} else if accountData.Suspended != nil {
 				err = errAccountSuspended
 			}
 		}
 		switch err {
 		case nil:
 			response.AccountName = accountData.Name
 			response.Email = accountData.Settings.Email
 			if !accountData.RegisteredAt.IsZero() {
 				response.RegisteredAt = accountData.RegisteredAt.Format(utils.IRCv3TimestampFormat)
 			}
 			// Get channels the account is in
 			response.Channels = a.server.channels.ChannelsForAccount(accountData.NameCasefolded)
 			response.Success = true
 		case errAccountDoesNotExist, errAccountUnverified, errAccountSuspended:
 			response.Success = false
 		default:
 			response.Success = false
 			response.ErrorCode = "UNKNOWN_ERROR"
 			response.Error = err.Error()
 		}
 	} else {
 		response.Success = false
 		response.ErrorCode = "INVALID_REQUEST"
 	}
 	a.writeJSONResponse(response, w, r)
 }
 type apiAccountListResponse struct {
 	apiGenericResponse
 	Accounts   []apiAccountDetailsResponse `json:"accounts"`
 	TotalCount int                         `json:"totalCount"`
 }
 func (a *ergoAPI) handleAccountList(w http.ResponseWriter, r *http.Request) {
 	var response apiAccountListResponse
 	// Get all account names
 	accounts := a.server.accounts.AllNicks()
 	response.TotalCount = len(accounts)
 	// Load account details
 	response.Accounts = make([]apiAccountDetailsResponse, len(accounts))
 	for i, account := range accounts {
 		accountData, err := a.server.accounts.LoadAccount(account)
 		if err != nil {
 			response.Accounts[i] = apiAccountDetailsResponse{
 				apiGenericResponse: apiGenericResponse{
 					Success: false,
 					Error:   err.Error(),
 				},
 			}
 			continue
 		}
 		response.Accounts[i] = apiAccountDetailsResponse{
 			apiGenericResponse: apiGenericResponse{
 				Success: true,
 			},
 			AccountName: accountData.Name,
 			Email:       accountData.Settings.Email,
 		}
 	}
 	response.Success = true
 	a.writeJSONResponse(response, w, r)
 }
 type apiStatusResponse struct {
 	apiGenericResponse
 	Version   string `json:"version"`
 	GoVersion string `json:"go_version"`
 	Commit    string `json:"commit,omitempty"`
 	StartTime string `json:"start_time"`
 	Users     struct {
 		Total     int `json:"total"`
 		Invisible int `json:"invisible"`
 		Operators int `json:"operators"`
 		Unknown   int `json:"unknown"`
 		Max       int `json:"max"`
 	} `json:"users"`
 	Channels int `json:"channels"`
 	Servers  int `json:"servers"`
 }
 func (a *ergoAPI) handleStatus(w http.ResponseWriter, r *http.Request) {
 	server := a.server
 	stats := server.stats.GetValues()
 	response := apiStatusResponse{
 		apiGenericResponse: apiGenericResponse{Success: true},
 		Version:            SemVer,
 		GoVersion:          runtime.Version(),
 		Commit:             Commit,
 		StartTime:          server.ctime.Format(utils.IRCv3TimestampFormat),
 	}
 	response.Users.Total = stats.Total
 	response.Users.Invisible = stats.Invisible
 	response.Users.Operators = stats.Operators
 	response.Users.Unknown = stats.Unknown
 	response.Users.Max = stats.Max
 	response.Channels = server.channels.Len()
 	response.Servers = 1
 	a.writeJSONResponse(response, w, r)
 }
--- a/irc/bunt/bunt_datastore.go
+++ b/irc/bunt/bunt_datastore.go
@ -44,11 +44,10 @@ func (b *buntdbDatastore) GetAll(table datastore.Table) (result []datastore.KV,
 	tablePrefix := fmt.Sprintf("%x ", table)
 	err = b.db.View(func(tx *buntdb.Tx) error {
 		err := tx.AscendGreaterOrEqual("", tablePrefix, func(key, value string) bool {
-			encUUID, ok := strings.CutPrefix(key, tablePrefix)
+			if !strings.HasPrefix(key, tablePrefix) {
 			if !ok {
 				return false
 			}
-			uuid, err := utils.DecodeUUID(encUUID)
+			uuid, err := utils.DecodeUUID(strings.TrimPrefix(key, tablePrefix))
 			if err == nil {
 				result = append(result, datastore.KV{UUID: uuid, Value: []byte(value)})
 			} else {
--- a/irc/caps/constants.go
+++ b/irc/caps/constants.go
@ -64,11 +64,10 @@ const (
 	BotTagName = "bot"
 	// https://ircv3.net/specs/extensions/chathistory
 	ChathistoryTargetsBatchType = "draft/chathistory-targets"
 	ExtendedISupportBatchType   = "draft/isupport"
 )
 func init() {
-	nameToCapability = make(map[string]Capability, numCapabs)
+	nameToCapability = make(map[string]Capability)
 	for capab, name := range capabilityNames {
 		nameToCapability[name] = Capability(capab)
 	}
--- a/irc/caps/defs.go
+++ b/irc/caps/defs.go
@ -7,7 +7,7 @@ package caps
 const (
 	// number of recognized capabilities:
-	numCapabs = 38
+	numCapabs = 34
 	// length of the uint32 array that represents the bitset:
 	bitsetLen = 2
 )
@ -53,10 +53,6 @@ const (
 	// https://github.com/ircv3/ircv3-specifications/pull/362
 	EventPlayback Capability = iota
 	// ExtendedISupport is the proposed IRCv3 capability named "draft/extended-isupport":
 	// https://github.com/ircv3/ircv3-specifications/pull/543
 	ExtendedISupport Capability = iota
 	// Languages is the proposed IRCv3 capability named "draft/languages":
 	// https://gist.github.com/DanielOaks/8126122f74b26012a3de37db80e4e0c6
 	Languages Capability = iota
@ -65,10 +61,6 @@ const (
 	// https://github.com/progval/ircv3-specifications/blob/redaction/extensions/message-redaction.md
 	MessageRedaction Capability = iota
 	// Metadata is the draft IRCv3 capability named "draft/metadata-2":
 	// https://ircv3.net/specs/extensions/metadata
 	Metadata Capability = iota
 	// Multiline is the proposed IRCv3 capability named "draft/multiline":
 	// https://github.com/ircv3/ircv3-specifications/pull/398
 	Multiline Capability = iota
@ -93,10 +85,6 @@ const (
 	// https://github.com/ircv3/ircv3-specifications/pull/417
 	Relaymsg Capability = iota
 	// WebPush is the proposed IRCv3 capability named "draft/webpush":
 	// https://github.com/ircv3/ircv3-specifications/pull/471
 	WebPush Capability = iota
 	// EchoMessage is the IRCv3 capability named "echo-message":
 	// https://ircv3.net/specs/extensions/echo-message-3.2.html
 	EchoMessage Capability = iota
@ -141,10 +129,6 @@ const (
 	// https://ircv3.net/specs/extensions/setname.html
 	SetName Capability = iota
 	// SojuWebPush is the Soju/Goguma vendor capability named "soju.im/webpush":
 	// https://github.com/ircv3/ircv3-specifications/pull/471
 	SojuWebPush Capability = iota
 	// StandardReplies is the IRCv3 capability named "standard-replies":
 	// https://github.com/ircv3/ircv3-specifications/pull/506
 	StandardReplies Capability = iota
@ -179,17 +163,14 @@ var (
 		"draft/channel-rename",
 		"draft/chathistory",
 		"draft/event-playback",
 		"draft/extended-isupport",
 		"draft/languages",
 		"draft/message-redaction",
 		"draft/metadata-2",
 		"draft/multiline",
 		"draft/no-implicit-names",
 		"draft/persistence",
 		"draft/pre-away",
 		"draft/read-marker",
 		"draft/relaymsg",
 		"draft/webpush",
 		"echo-message",
 		"ergo.chat/nope",
 		"extended-join",
@ -201,7 +182,6 @@ var (
 		"sasl",
 		"server-time",
 		"setname",
 		"soju.im/webpush",
 		"standard-replies",
 		"sts",
 		"userhost-in-names",
--- a/irc/channel.go
+++ b/irc/channel.go
@ -7,7 +7,6 @@ package irc
 import (
 	"fmt"
 	"iter"
 	"maps"
 	"strconv"
 	"strings"
@ -22,7 +21,6 @@ import (
 	"github.com/ergochat/ergo/irc/history"
 	"github.com/ergochat/ergo/irc/modes"
 	"github.com/ergochat/ergo/irc/utils"
 	"github.com/ergochat/ergo/irc/webpush"
 )
 type ChannelSettings struct {
@ -56,7 +54,6 @@ type Channel struct {
 	dirtyBits         uint
 	settings          ChannelSettings
 	uuid              utils.UUID
 	metadata          map[string]string
 	// these caches are paired to allow iteration over channel members without holding the lock
 	membersCache    []*Client
 	memberDataCache []*memberData
@ -128,7 +125,6 @@ func (channel *Channel) applyRegInfo(chanReg RegisteredChannel) {
 	channel.userLimit = chanReg.UserLimit
 	channel.settings = chanReg.Settings
 	channel.forward = chanReg.Forward
 	channel.metadata = chanReg.Metadata
 	for _, mode := range chanReg.Modes {
 		channel.flags.SetMode(mode, true)
@ -166,7 +162,6 @@ func (channel *Channel) ExportRegistration() (info RegisteredChannel) {
 	info.AccountToUMode = maps.Clone(channel.accountToUMode)
 	info.Settings = channel.settings
 	info.Metadata = channel.metadata
 	return
 }
@ -227,7 +222,7 @@ func (channel *Channel) wakeWriter() {
 // equivalent of Socket.send()
 func (channel *Channel) writeLoop() {
-	defer channel.server.HandlePanic(nil)
+	defer channel.server.HandlePanic()
 	for {
 		// TODO(#357) check the error value of this and implement timed backoff
@ -896,10 +891,6 @@ func (channel *Channel) Join(client *Client, key string, isSajoin bool, rb *Resp
 		rb.Add(nil, client.server.name, "MARKREAD", chname, client.GetReadMarker(chcfname))
 	}
 	if rb.session.capabilities.Has(caps.Metadata) {
 		syncChannelMetadata(client.server, rb, channel)
 	}
 	if rb.session.client == client {
 		// don't send topic and names for a SAJOIN of a different client
 		channel.SendTopic(client, rb, false)
@ -1329,21 +1320,18 @@ func (channel *Channel) SendSplitMessage(command string, minPrefixMode modes.Mod
 	isBot := client.HasMode(modes.Bot)
 	chname := channel.Name()
-	// STATUSMSG targets are prefixed with the supplied min-prefix, e.g., @#channel
+	if !client.server.Config().Server.Compatibility.allowTruncation {
 	if minPrefixMode != modes.Mode(0) {
 		chname = fmt.Sprintf("%s%s", modes.ChannelModePrefixes[minPrefixMode], chname)
 	}
 	config := client.server.Config()
 	dispatchWebPush := false
 	if !config.Server.Compatibility.allowTruncation {
 		if !validateSplitMessageLen(histType, details.nickMask, chname, message) {
 			rb.Add(nil, client.server.name, ERR_INPUTTOOLONG, details.nick, client.t("Line too long to be relayed without truncation"))
 			return
 		}
 	}
 	// STATUSMSG targets are prefixed with the supplied min-prefix, e.g., @#channel
 	if minPrefixMode != modes.Mode(0) {
 		chname = fmt.Sprintf("%s%s", modes.ChannelModePrefixes[minPrefixMode], chname)
 	}
 	if channel.flags.HasMode(modes.OpModerated) {
 		channel.stateMutex.RLock()
 		cuData, ok := channel.members[client]
@ -1367,9 +1355,6 @@ func (channel *Channel) SendSplitMessage(command string, minPrefixMode modes.Mod
 			continue
 		}
 		// TODO consider when we might want to push TAGMSG
 		dispatchWebPush = dispatchWebPush || (config.WebPush.Enabled && histType != history.Tagmsg && member.hasPushSubscriptions())
 		for _, session := range member.Sessions() {
 			if session == rb.session {
 				continue // we already sent echo-message, if applicable
@ -1393,42 +1378,6 @@ func (channel *Channel) SendSplitMessage(command string, minPrefixMode modes.Mod
 			Tags:        clientOnlyTags,
 			IsBot:       isBot,
 		}, details.account)
 		if dispatchWebPush {
 			channel.dispatchWebPush(client, command, details.nickMask, details.accountName, chname, message)
 		}
 	}
 }
 func (channel *Channel) dispatchWebPush(client *Client, command, nuh, accountName, chname string, msg utils.SplitMessage) {
 	msgBytes, err := webpush.MakePushMessage(command, nuh, accountName, chname, msg)
 	if err != nil {
 		channel.server.logger.Error("internal", "can't serialize push message", err.Error())
 		return
 	}
 	messageText := strings.ToLower(msg.CombinedValue())
 	for _, member := range channel.Members() {
 		if member == client {
 			continue // don't push to the client's own devices even if they mentioned themself
 		}
 		if !member.hasPushSubscriptions() {
 			continue
 		}
 		// this is the casefolded account name for comparison to the casefolded message text:
 		account := member.Account()
 		if account == "" {
 			continue
 		}
 		if !webpush.IsHighlight(messageText, account) {
 			continue
 		}
 		member.dispatchPushMessage(pushMessage{
 			msg:      msgBytes,
 			urgency:  webpush.UrgencyHigh,
 			cftarget: channel.NameCasefolded(),
 			time:     msg.Time,
 		})
 	}
 }
@ -1677,20 +1626,6 @@ func (channel *Channel) auditoriumFriends(client *Client) (friends []*Client) {
 	return
 }
 func (channel *Channel) sessionsWithCaps(capabs ...caps.Capability) iter.Seq[*Session] {
 	return func(yield func(*Session) bool) {
 		for _, member := range channel.Members() {
 			for _, sess := range member.Sessions() {
 				if sess.capabilities.HasAll(capabs...) {
 					if !yield(sess) {
 						return
 					}
 				}
 			}
 		}
 	}
 }
 // returns whether the client is visible to unprivileged users in the channel
 // (i.e., respecting auditorium mode). note that this assumes that the client
 // is a member; if the client is not, it may return true anyway
--- a/irc/channelmanager.go
+++ b/irc/channelmanager.go
@ -206,10 +206,6 @@ func (cm *ChannelManager) Cleanup(channel *Channel) {
 }
 func (cm *ChannelManager) SetRegistered(channelName string, account string) (err error) {
 	if account == "" {
 		return errAuthRequired // this is already enforced by ChanServ, but do a final check
 	}
 	if cm.server.Defcon() <= 4 {
 		return errFeatureDisabled
 	}
--- a/irc/channelreg.go
+++ b/irc/channelreg.go
@ -63,8 +63,6 @@ type RegisteredChannel struct {
 	Invites map[string]MaskInfo
 	// Settings are the chanserv-modifiable settings
 	Settings ChannelSettings
 	// Metadata set using the METADATA command
 	Metadata map[string]string
 }
 func (r *RegisteredChannel) Serialize() ([]byte, error) {
--- a/irc/client.go
+++ b/irc/client.go
@ -6,7 +6,6 @@
 package irc
 import (
 	"context"
 	"crypto/x509"
 	"fmt"
 	"maps"
@ -33,7 +32,6 @@ import (
 	"github.com/ergochat/ergo/irc/oauth2"
 	"github.com/ergochat/ergo/irc/sno"
 	"github.com/ergochat/ergo/irc/utils"
 	"github.com/ergochat/ergo/irc/webpush"
 )
 const (
@ -42,15 +40,12 @@ const (
 	// IdentTimeout is how long before our ident (username) check times out.
 	IdentTimeout         = time.Second + 500*time.Millisecond
 	IRCv3TimestampFormat = utils.IRCv3TimestampFormat
 	// limit the number of device IDs a client can use, as a DoS mitigation
 	maxDeviceIDsPerClient = 64
 	// maximum total read markers that can be stored
 	// (writeback of read markers is controlled by lastSeen logic)
 	maxReadMarkers = 256
 	// should be long enough to handle multiple notifications in rapid succession,
 	// short enough that it doesn't waste a lot of RAM per client
 	pushQueueLengthPerClient = 16
 )
 const (
@ -70,10 +65,6 @@ const (
 	PingCoalesceThreshold = time.Second
 )
 const (
 	utf8BOM = "\xef\xbb\xbf"
 )
 var (
 	MaxLineLen = DefaultMaxLineLen
 )
@ -126,12 +117,6 @@ type Client struct {
 	history            history.Buffer
 	dirtyBits          uint
 	writebackLock      sync.Mutex // tier 1.5
 	pushSubscriptions       map[string]*pushSubscription
 	cachedPushSubscriptions []storedPushSubscription
 	clearablePushMessages   map[string]time.Time
 	pushSubscriptionsExist  atomic.Uint32 // this is a cache on len(pushSubscriptions) != 0
 	pushQueue               pushQueue
 	metadata                map[string]string
 }
 type saslStatus struct {
@ -167,8 +152,6 @@ const (
 type Session struct {
 	client *Client
 	connID string // identifies the connection in debug logs
 	deviceID string
 	ctime      time.Time
@ -196,8 +179,6 @@ type Session struct {
 	batchCounter atomic.Uint32
 	isupportSentPrereg bool
 	quitMessage string
 	awayMessage string
@ -213,11 +194,6 @@ type Session struct {
 	autoreplayMissedSince time.Time
 	batch MultilineBatch
 	webPushEndpoint string // goroutine-local: web push endpoint registered by the current session
 	metadataSubscriptions utils.HashSet[string]
 	metadataPreregVals    map[string]string
 }
 // MultilineBatch tracks the state of a client-to-server multiline batch.
@ -356,8 +332,7 @@ func (server *Server) RunClient(conn IRCConn) {
 		return
 	}
-	connID := server.generateConnectionID()
+	server.logger.Info("connect-ip", fmt.Sprintf("Client connecting: real IP %v, proxied IP %v", realIP, proxiedIP))
 	server.logger.Info("connect-ip", connID, fmt.Sprintf("Client connecting: real IP %v, proxied IP %v", realIP, proxiedIP))
 	now := time.Now().UTC()
 	// give them 1k of grace over the limit:
@ -397,7 +372,6 @@ func (server *Server) RunClient(conn IRCConn) {
 		proxiedIP:  proxiedIP,
 		isTor:      wConn.Tor,
 		hideSTS:    wConn.Tor || wConn.HideSTS,
 		connID:     connID,
 	}
 	session.sasl.Initialize()
 	client.sessions = []*Session{session}
@ -427,7 +401,7 @@ func (server *Server) RunClient(conn IRCConn) {
 	client.run(session)
 }
-func (server *Server) AddAlwaysOnClient(account ClientAccount, channelToStatus map[string]alwaysOnChannelStatus, lastSeen, readMarkers map[string]time.Time, uModes modes.Modes, realname string, pushSubscriptions []storedPushSubscription) {
+func (server *Server) AddAlwaysOnClient(account ClientAccount, channelToStatus map[string]alwaysOnChannelStatus, lastSeen, readMarkers map[string]time.Time, uModes modes.Modes, realname string) {
 	now := time.Now().UTC()
 	config := server.Config()
 	if lastSeen == nil && account.Settings.AutoreplayMissed {
@ -504,14 +478,6 @@ func (server *Server) AddAlwaysOnClient(account ClientAccount, channelToStatus m
 	if persistenceEnabled(config.Accounts.Multiclient.AutoAway, client.accountSettings.AutoAway) {
 		client.setAutoAwayNoMutex(config)
 	}
 	if len(pushSubscriptions) != 0 {
 		client.pushSubscriptions = make(map[string]*pushSubscription, len(pushSubscriptions))
 		for _, sub := range pushSubscriptions {
 			client.pushSubscriptions[sub.Endpoint] = newPushSubscription(sub)
 		}
 	}
 	client.rebuildPushSubscriptionCache()
 }
 func (client *Client) resizeHistory(config *Config) {
@ -678,7 +644,7 @@ func (client *Client) run(session *Session) {
 	isReattach := client.Registered()
 	if isReattach {
 		client.Touch(session)
-		client.performReattach(session)
+		client.playReattachMessages(session)
 	}
 	firstLine := !isReattach
@ -689,7 +655,7 @@ func (client *Client) run(session *Session) {
 		if err == errInvalidUtf8 {
 			invalidUtf8 = true // handle as normal, including labeling
 		} else if err != nil {
-			client.server.logger.Debug("connect-ip", session.connID, "read error from client", err.Error())
+			client.server.logger.Debug("connect-ip", "read error from client", err.Error())
 			var quitMessage string
 			switch err {
 			case ircreader.ErrReadQ:
@ -702,7 +668,7 @@ func (client *Client) run(session *Session) {
 		}
 		if client.server.logger.IsLoggingRawIO() {
-			client.server.logger.Debug("userinput", session.connID, client.nick, "<-", line)
+			client.server.logger.Debug("userinput", client.nick, "<- ", line)
 		}
 		// special-cased handling of PROXY protocol, see `handleProxyCommand` for details:
@ -734,12 +700,8 @@ func (client *Client) run(session *Session) {
 			}
 			session.fakelag.Touch(command)
 		} else {
 			if session.registrationMessages == 0 && httpVerbs.Has(msg.Command) {
 				client.Send(nil, client.server.name, ERR_UNKNOWNERROR, msg.Command, "This is not an HTTP server")
 				break
 			}
 			session.registrationMessages++
 			// DoS hardening, #505
 			session.registrationMessages++
 			if client.server.Config().Limits.RegistrationMessages < session.registrationMessages {
 				client.Send(nil, client.server.name, ERR_UNKNOWNERROR, "*", client.t("You have sent too many registration messages"))
 				break
@ -757,16 +719,17 @@ func (client *Client) run(session *Session) {
 				continue
 			} // else: proceed with the truncated line
 		} else if err != nil {
-			message := "Received malformed line"
+			client.Quit(client.t("Received malformed line"), session)
 			if strings.HasPrefix(line, utf8BOM) {
 				message = "Received UTF-8 byte-order mark, which is invalid at the start of an IRC protocol message"
 			}
 			client.Quit(message, session)
 			break
 		}
-		var cmd Command
+		cmd, exists := Commands[msg.Command]
-		msg.Command, cmd = client.server.resolveCommand(msg.Command, invalidUtf8)
+		if !exists {
 			cmd = unknownCommand
 		} else if invalidUtf8 {
 			cmd = invalidUtf8Command
 		}
 		isExiting := cmd.Run(client.server, client, session, msg)
 		if isExiting {
 			break
@ -778,9 +741,7 @@ func (client *Client) run(session *Session) {
 	}
 }
-func (client *Client) performReattach(session *Session) {
+func (client *Client) playReattachMessages(session *Session) {
 	client.applyPreregMetadata(session)
 	client.server.playRegistrationBurst(session)
 	hasHistoryCaps := session.HasHistoryCaps()
 	for _, channel := range session.client.Channels() {
@ -804,34 +765,6 @@ func (client *Client) performReattach(session *Session) {
 	session.autoreplayMissedSince = time.Time{}
 }
 func (client *Client) applyPreregMetadata(session *Session) {
 	if session.metadataPreregVals == nil {
 		return
 	}
 	defer func() {
 		session.metadataPreregVals = nil
 	}()
 	updates := client.UpdateMetadataFromPrereg(session.metadataPreregVals, client.server.Config().Metadata.MaxKeys)
 	if len(updates) == 0 {
 		return
 	}
 	// TODO this is expensive
 	friends := client.FriendsMonitors(caps.Metadata)
 	for _, s := range client.Sessions() {
 		if s != session {
 			friends.Add(s)
 		}
 	}
 	target := client.Nick()
 	for k, v := range updates {
 		broadcastMetadataUpdate(client.server, maps.Keys(friends), session, target, k, v, true)
 	}
 }
 //
 // idle, quit, timers and timeouts
 //
@ -1163,7 +1096,6 @@ func (client *Client) SetNick(nick, nickCasefolded, skeleton string) (success bo
 	client.nickCasefolded = nickCasefolded
 	client.skeleton = skeleton
 	client.updateNickMaskNoMutex()
 	return true
 }
@ -1228,18 +1160,12 @@ func (client *Client) LoggedIntoAccount() bool {
 // (You must ensure separately that destroy() is called, e.g., by returning `true` from
 // the command handler or calling it yourself.)
 func (client *Client) Quit(message string, session *Session) {
 	nuh := client.NickMaskString()
 	now := time.Now().UTC()
 	setFinalData := func(sess *Session) {
 		message := sess.quitMessage
 		var finalData []byte
 		// #364: don't send QUIT lines to unregistered clients
 		if client.registered {
-			quitMsg := ircmsg.MakeMessage(nil, nuh, "QUIT", message)
+			quitMsg := ircmsg.MakeMessage(nil, client.nickMaskString, "QUIT", message)
 			if sess.capabilities.Has(caps.ServerTime) {
 				quitMsg.SetTag("time", now.Format(utils.IRCv3TimestampFormat))
 			}
 			finalData, _ = quitMsg.LineBytesStrict(false, MaxLineLen)
 		}
@ -1359,7 +1285,7 @@ func (client *Client) destroy(session *Session) {
 		if !shouldDestroy {
 			client.server.snomasks.Send(sno.LocalDisconnects, fmt.Sprintf(ircfmt.Unescape("Client session disconnected for [a:%s] [h:%s] [ip:%s]"), details.accountName, session.rawHostname, source))
 		}
-		client.server.logger.Info("connect-ip", session.connID, fmt.Sprintf("Disconnecting session of %s from %s", details.nick, source))
+		client.server.logger.Info("connect-ip", fmt.Sprintf("disconnecting session of %s from %s", details.nick, source))
 	}
 	// decrement stats if we have no more sessions, even if the client will not be destroyed
@ -1497,7 +1423,7 @@ func (session *Session) sendFromClientInternal(blocking bool, serverTime time.Ti
 func composeMultilineBatch(batchID, fromNickMask, fromAccount string, isBot bool, tags map[string]string, command, target string, message utils.SplitMessage) (result []ircmsg.Message) {
 	batchStart := ircmsg.MakeMessage(tags, fromNickMask, "BATCH", "+"+batchID, caps.MultilineBatchType, target)
-	batchStart.SetTag("time", message.Time.Format(utils.IRCv3TimestampFormat))
+	batchStart.SetTag("time", message.Time.Format(IRCv3TimestampFormat))
 	batchStart.SetTag("msgid", message.Msgid)
 	if fromAccount != "*" {
 		batchStart.SetTag("account", fromAccount)
@ -1569,7 +1495,7 @@ func (session *Session) SendRawMessage(message ircmsg.Message, blocking bool) er
 func (session *Session) sendBytes(line []byte, blocking bool) (err error) {
 	if session.client.server.logger.IsLoggingRawIO() {
 		logline := string(line[:len(line)-2]) // strip "\r\n"
-		session.client.server.logger.Debug("useroutput", session.connID, session.client.Nick(), "->", logline)
+		session.client.server.logger.Debug("useroutput", session.client.Nick(), " ->", logline)
 	}
 	if blocking {
@ -1578,7 +1504,7 @@ func (session *Session) sendBytes(line []byte, blocking bool) (err error) {
 		err = session.socket.Write(line)
 	}
 	if err != nil {
-		session.client.server.logger.Info("quit", session.connID, "send error to client", session.client.Nick(), err.Error())
+		session.client.server.logger.Info("quit", "send error to client", fmt.Sprintf("%s [%d]", session.client.Nick(), session.sessionID), err.Error())
 	}
 	return err
 }
@ -1605,7 +1531,7 @@ func (session *Session) setTimeTag(msg *ircmsg.Message, serverTime time.Time) {
 		if serverTime.IsZero() {
 			serverTime = time.Now()
 		}
-		msg.SetTag("time", serverTime.UTC().Format(utils.IRCv3TimestampFormat))
+		msg.SetTag("time", serverTime.UTC().Format(IRCv3TimestampFormat))
 	}
 }
@ -1848,7 +1774,6 @@ const (
 	IncludeChannels uint = 1 << iota
 	IncludeUserModes
 	IncludeRealname
 	IncludePushSubscriptions
 )
 func (client *Client) markDirty(dirtyBits uint) {
@ -1869,7 +1794,7 @@ func (client *Client) wakeWriter() {
 }
 func (client *Client) writeLoop() {
-	defer client.server.HandlePanic(nil)
+	defer client.server.HandlePanic()
 	for {
 		client.performWrite(0)
@ -1927,9 +1852,6 @@ func (client *Client) performWrite(additionalDirtyBits uint) {
 	if (dirtyBits & IncludeRealname) != 0 {
 		client.server.accounts.saveRealname(account, client.realname)
 	}
 	if (dirtyBits & IncludePushSubscriptions) != 0 {
 		client.server.accounts.savePushSubscriptions(account, client.getPushSubscriptions(true))
 	}
 }
 // Blocking store; see Channel.Store and Socket.BlockingWrite
@ -1949,134 +1871,3 @@ func (client *Client) Store(dirtyBits uint) (err error) {
 	client.performWrite(dirtyBits)
 	return nil
 }
 // pushSubscription represents all the data we track about the state of a push subscription;
 // right now every field is persisted, but we may want to persist only a subset in future
 type pushSubscription struct {
 	storedPushSubscription
 }
 // storedPushSubscription represents a subscription as stored in the database
 type storedPushSubscription struct {
 	Endpoint    string
 	Keys        webpush.Keys
 	LastRefresh time.Time // last time the client sent WEBPUSH REGISTER for this endpoint
 	LastSuccess time.Time // last time we successfully pushed to this endpoint
 }
 func newPushSubscription(sub storedPushSubscription) *pushSubscription {
 	return &pushSubscription{
 		storedPushSubscription: sub,
 		// TODO any other initialization here, like rate limiting
 	}
 }
 type pushMessage struct {
 	msg                 []byte
 	urgency             webpush.Urgency
 	originatingEndpoint string
 	cftarget            string
 	time                time.Time
 }
 type pushQueue struct {
 	workerLock sync.Mutex
 	queue      chan pushMessage
 	once       sync.Once
 	dropped    atomic.Uint64
 }
 func (c *Client) ensurePushInitialized() {
 	c.pushQueue.once.Do(c.initializePush)
 }
 func (c *Client) initializePush() {
 	// allocate the queue
 	c.pushQueue.queue = make(chan pushMessage, pushQueueLengthPerClient)
 }
 func (client *Client) dispatchPushMessage(msg pushMessage) {
 	client.ensurePushInitialized()
 	select {
 	case client.pushQueue.queue <- msg:
 		if client.pushQueue.workerLock.TryLock() {
 			go client.pushWorker()
 		}
 	default:
 		client.pushQueue.dropped.Add(1)
 	}
 }
 func (client *Client) pushWorker() {
 	defer client.server.HandlePanic(nil)
 	defer client.pushQueue.workerLock.Unlock()
 	for {
 		select {
 		case msg := <-client.pushQueue.queue:
 			for _, sub := range client.getPushSubscriptions(false) {
 				if !client.skipPushMessage(msg) {
 					client.sendAndTrackPush(sub.Endpoint, sub.Keys, msg, true)
 				}
 			}
 		default:
 			// no more messages, end the goroutine and release the trylock
 			return
 		}
 	}
 }
 // skipPushMessage waits up to the configured delay for the client to send MARKREAD;
 // it returns whether the message has been read
 func (client *Client) skipPushMessage(msg pushMessage) bool {
 	if msg.cftarget == "" || msg.time.IsZero() {
 		return false
 	}
 	config := client.server.Config()
 	if config.WebPush.Delay == 0 {
 		return false
 	}
 	deadline := msg.time.Add(config.WebPush.Delay)
 	pause := time.Until(deadline)
 	if pause > 0 {
 		time.Sleep(pause)
 	}
 	readTimestamp, ok := client.getMarkreadTime(msg.cftarget)
 	return ok && utils.ReadMarkerLessThanOrEqual(msg.time, readTimestamp)
 }
 func (client *Client) sendAndTrackPush(endpoint string, keys webpush.Keys, msg pushMessage, updateDB bool) {
 	if endpoint == msg.originatingEndpoint {
 		return
 	}
 	if msg.cftarget != "" && !msg.time.IsZero() {
 		client.addClearablePushMessage(msg.cftarget, msg.time)
 	}
 	switch client.sendPush(endpoint, keys, msg.urgency, msg.msg) {
 	case nil:
 		client.recordPush(endpoint, true)
 	case webpush.Err404:
 		client.deletePushSubscription(endpoint, updateDB)
 	default:
 		client.recordPush(endpoint, false)
 	}
 }
 func (client *Client) sendPush(endpoint string, keys webpush.Keys, urgency webpush.Urgency, msg []byte) error {
 	config := client.server.Config()
 	// final sanity check
 	if !config.WebPush.Enabled {
 		return nil
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), config.WebPush.Timeout)
 	defer cancel()
 	err := webpush.SendWebPush(ctx, endpoint, keys, config.WebPush.vapidKeys, webpush.UrgencyHigh, config.WebPush.Subscriber, msg)
 	if err == nil {
 		client.server.logger.Debug("webpush", "dispatched push to client", client.Nick(), endpoint)
 	} else {
 		client.server.logger.Debug("webpush", "failed to dispatch push to client", client.Nick(), endpoint, err.Error())
 	}
 	return err
 }
--- a/irc/client_lookup_set.go
+++ b/irc/client_lookup_set.go
@ -94,6 +94,7 @@ func (clients *ClientManager) SetNick(client *Client, session *Session, newNick
 	accountName := client.accountName
 	settings := client.accountSettings
 	registered := client.registered
 	realname := client.realname
 	client.stateMutex.RUnlock()
 	// these restrictions have grandfather exceptions for nicknames registered
@ -208,6 +209,10 @@ func (clients *ClientManager) SetNick(client *Client, session *Session, newNick
 			client.server.stats.AddRegistered(invisible, operator)
 		}
 		session.autoreplayMissedSince = lastSeen
 		// TODO: transition mechanism for #1065, clean this up eventually:
 		if currentClient.Realname() == "" {
 			currentClient.SetRealname(realname)
 		}
 		// successful reattach!
 		return newNick, nil, wasAway != nowAway
 	} else if currentClient == client && currentClient.Nick() == newNick {
@ -248,14 +253,15 @@ func (clients *ClientManager) AllClients() (result []*Client) {
 	return
 }
-// AllWithCapsNotify returns all sessions that support cap-notify.
+// AllWithCapsNotify returns all clients with the given capabilities, and that support cap-notify.
-func (clients *ClientManager) AllWithCapsNotify() (sessions []*Session) {
+func (clients *ClientManager) AllWithCapsNotify(capabs ...caps.Capability) (sessions []*Session) {
 	capabs = append(capabs, caps.CapNotify)
 	clients.RLock()
 	defer clients.RUnlock()
 	for _, client := range clients.byNick {
 		for _, session := range client.Sessions() {
 			// cap-notify is implicit in cap version 302 and above
-			if session.capabilities.Has(caps.CapNotify) || 302 <= session.capVersion {
+			if session.capabilities.HasAll(capabs...) || 302 <= session.capVersion {
 				sessions = append(sessions, session)
 			}
 		}
@ -264,18 +270,6 @@ func (clients *ClientManager) AllWithCapsNotify() (sessions []*Session) {
 	return
 }
 // AllWithPushSubscriptions returns all clients that are always-on with an active push subscription.
 func (clients *ClientManager) AllWithPushSubscriptions() (result []*Client) {
 	clients.RLock()
 	defer clients.RUnlock()
 	for _, client := range clients.byNick {
 		if client.hasPushSubscriptions() && client.AlwaysOn() {
 			result = append(result, client)
 		}
 	}
 	return result
 }
 // FindAll returns all clients that match the given userhost mask.
 func (clients *ClientManager) FindAll(userhost string) (set ClientSet) {
 	set = make(ClientSet)
--- a/irc/cloaks/cloaks.go
+++ b/irc/cloaks/cloaks.go
@ -6,7 +6,7 @@ import (
 	"fmt"
 	"net"
-	"crypto/sha3"
+	"golang.org/x/crypto/sha3"
 	"github.com/ergochat/ergo/irc/utils"
 )
--- a/irc/commands.go
+++ b/irc/commands.go
@ -18,24 +18,6 @@ type Command struct {
 	capabs         []string
 }
 // resolveCommand returns the command to execute in response to a user input line.
 // some invalid commands (unknown command verb, invalid UTF8) get a fake handler
 // to ensure that labeled-response still works as expected.
 func (server *Server) resolveCommand(command string, invalidUTF8 bool) (canonicalName string, result Command) {
 	if invalidUTF8 {
 		return command, invalidUtf8Command
 	}
 	if cmd, ok := Commands[command]; ok {
 		return command, cmd
 	}
 	if target, ok := server.Config().Server.CommandAliases[command]; ok {
 		if cmd, ok := Commands[target]; ok {
 			return target, cmd
 		}
 	}
 	return command, unknownCommand
 }
 // Run runs this command with the given client/message.
 func (cmd *Command) Run(server *Server, client *Client, session *Session, msg ircmsg.Message) (exiting bool) {
 	rb := NewResponseBuffer(session)
@ -170,10 +152,6 @@ func init() {
 			handler:   isonHandler,
 			minParams: 1,
 		},
 		"ISUPPORT": {
 			handler:      isupportHandler,
 			usablePreReg: true,
 		},
 		"JOIN": {
 			handler:   joinHandler,
 			minParams: 1,
@ -209,11 +187,6 @@ func init() {
 			handler:   markReadHandler,
 			minParams: 0, // send FAIL instead of ERR_NEEDMOREPARAMS
 		},
 		"METADATA": {
 			handler:      metadataHandler,
 			minParams:    2,
 			usablePreReg: true,
 		},
 		"MODE": {
 			handler:   modeHandler,
 			minParams: 1,
@ -390,10 +363,6 @@ func init() {
 			usablePreReg: true,
 			minParams:    4,
 		},
 		"WEBPUSH": {
 			handler:   webpushHandler,
 			minParams: 2,
 		},
 		"WHO": {
 			handler:   whoHandler,
 			minParams: 1,
--- a/irc/config.go
+++ b/irc/config.go
@ -22,7 +22,6 @@ import (
 	"strconv"
 	"strings"
 	"time"
 	"unicode/utf8"
 	"code.cloudfoundry.org/bytefmt"
 	"github.com/ergochat/irc-go/ircfmt"
@ -42,7 +41,6 @@ import (
 	"github.com/ergochat/ergo/irc/oauth2"
 	"github.com/ergochat/ergo/irc/passwd"
 	"github.com/ergochat/ergo/irc/utils"
 	"github.com/ergochat/ergo/irc/webpush"
 )
 // here's how this works: exported (capitalized) members of the config structs
@ -609,27 +607,14 @@ type Config struct {
 		OverrideServicesHostname string              `yaml:"override-services-hostname"`
 		MaxLineLen               int                 `yaml:"max-line-len"`
 		SuppressLusers           bool                `yaml:"suppress-lusers"`
 		AdditionalISupport       map[string]string   `yaml:"additional-isupport"`
 		CommandAliases           map[string]string   `yaml:"command-aliases"`
 	}
 	API struct {
 		Enabled          bool
 		Listener         string
 		TLS              TLSListenConfig
 		tlsConfig        *tls.Config
 		BearerTokens     []string `yaml:"bearer-tokens"`
 		bearerTokenBytes [][]byte
 	} `yaml:"api"`
 	Roleplay struct {
 		Enabled        bool
 		RequireChanops bool  `yaml:"require-chanops"`
 		RequireOper    bool  `yaml:"require-oper"`
 		AddSuffix      *bool `yaml:"add-suffix"`
 		addSuffix      bool
 		NPCNickMask    string `yaml:"npc-nick-mask"`
 		SceneNickMask  string `yaml:"scene-nick-mask"`
 	}
 	Extjwt struct {
@ -723,23 +708,6 @@ type Config struct {
 		} `yaml:"tagmsg-storage"`
 	}
 	Metadata struct {
 		Enabled       bool
 		MaxSubs       int `yaml:"max-subs"`
 		MaxKeys       int `yaml:"max-keys"`
 		MaxValueBytes int `yaml:"max-value-length"`
 	}
 	WebPush struct {
 		Enabled          bool
 		Timeout          time.Duration
 		Delay            time.Duration
 		Subscriber       string
 		MaxSubscriptions int `yaml:"max-subscriptions"`
 		Expiration       custime.Duration
 		vapidKeys        *webpush.VAPIDKeys
 	} `yaml:"webpush"`
 	Filename string
 }
@ -1030,40 +998,6 @@ func (config *Config) processExtjwt() (err error) {
 	return nil
 }
 func (config *Config) processAPI() (err error) {
 	if !config.API.Enabled {
 		return nil
 	}
 	if config.API.Listener == "" {
 		return errors.New("config.api.enabled is true, but listener address is empty")
 	}
 	config.API.bearerTokenBytes = make([][]byte, len(config.API.BearerTokens))
 	for i, tok := range config.API.BearerTokens {
 		if tok == "" || tok == "example" {
 			continue
 		}
 		config.API.bearerTokenBytes[i] = []byte(tok)
 	}
 	var tlsConfig *tls.Config
 	if config.API.TLS.Cert != "" {
 		cert, err := loadCertWithLeaf(config.API.TLS.Cert, config.API.TLS.Key)
 		if err != nil {
 			return err
 		}
 		tlsConfig = &tls.Config{
 			Certificates: []tls.Certificate{cert},
 			MinVersion:   tls.VersionTLS12,
 			// TODO consider supporting client certificates
 		}
 	}
 	config.API.tlsConfig = tlsConfig
 	return nil
 }
 // LoadRawConfig loads the config without doing any consistency checks or postprocessing
 func LoadRawConfig(filename string) (config *Config, err error) {
 	data, err := os.ReadFile(filename)
@ -1585,7 +1519,6 @@ func LoadConfig(filename string) (config *Config, err error) {
 		config.Server.supportedCaps.Disable(caps.Chathistory)
 		config.Server.supportedCaps.Disable(caps.EventPlayback)
 		config.Server.supportedCaps.Disable(caps.ZNCPlayback)
 		config.Server.supportedCaps.Disable(caps.MessageRedaction)
 	}
 	if !config.History.Enabled || !config.History.Persistent.Enabled {
@ -1616,17 +1549,7 @@ func LoadConfig(filename string) (config *Config, err error) {
 		}
 	}
 	if !config.History.Retention.AllowIndividualDelete {
 		config.Server.supportedCaps.Disable(caps.MessageRedaction) // #2215
 	}
 	config.Roleplay.addSuffix = utils.BoolDefaultTrue(config.Roleplay.AddSuffix)
 	if config.Roleplay.NPCNickMask == "" {
 		config.Roleplay.NPCNickMask = defaultNPCNickMask
 	}
 	if config.Roleplay.SceneNickMask == "" {
 		config.Roleplay.SceneNickMask = defaultSceneNickMask
 	}
 	config.Datastore.MySQL.ExpireTime = time.Duration(config.History.Restrictions.ExpireTime)
 	config.Datastore.MySQL.TrackAccountMessages = config.History.Retention.EnableAccountIndexing
@ -1644,65 +1567,11 @@ func LoadConfig(filename string) (config *Config, err error) {
 		}
 	}
 	if !config.Metadata.Enabled {
 		config.Server.supportedCaps.Disable(caps.Metadata)
 	} else {
 		metadataValues := make([]string, 0, 4)
 		metadataValues = append(metadataValues, "before-connect")
 		// these are required for normal operation, so set sane defaults:
 		if config.Metadata.MaxSubs == 0 {
 			config.Metadata.MaxSubs = 10
 		}
 		metadataValues = append(metadataValues, fmt.Sprintf("max-subs=%d", config.Metadata.MaxSubs))
 		if config.Metadata.MaxKeys == 0 {
 			config.Metadata.MaxKeys = 10
 		}
 		metadataValues = append(metadataValues, fmt.Sprintf("max-keys=%d", config.Metadata.MaxKeys))
 		// this is not required since we enforce a hardcoded upper bound on key+value
 		if config.Metadata.MaxValueBytes > 0 {
 			metadataValues = append(metadataValues, fmt.Sprintf("max-value-bytes=%d", config.Metadata.MaxValueBytes))
 		}
 		config.Server.capValues[caps.Metadata] = strings.Join(metadataValues, ",")
 	}
 	err = config.processExtjwt()
 	if err != nil {
 		return nil, err
 	}
 	if config.WebPush.Enabled {
 		if config.Accounts.Multiclient.AlwaysOn == PersistentDisabled {
 			return nil, fmt.Errorf("Cannot enable webpush if always-on is disabled")
 		}
 		if config.WebPush.Timeout == 0 {
 			config.WebPush.Timeout = 10 * time.Second
 		}
 		if config.WebPush.Subscriber == "" {
 			config.WebPush.Subscriber = "https://ergo.chat/about"
 		}
 		if config.WebPush.MaxSubscriptions <= 0 {
 			config.WebPush.MaxSubscriptions = 1
 		}
 		if config.WebPush.Expiration == 0 {
 			config.WebPush.Expiration = custime.Duration(14 * 24 * time.Hour)
 		} else if config.WebPush.Expiration < custime.Duration(3*24*time.Hour) {
 			return nil, fmt.Errorf("webpush.expiration is too short (should be several days)")
 		}
 	} else {
 		config.Server.supportedCaps.Disable(caps.WebPush)
 		config.Server.supportedCaps.Disable(caps.SojuWebPush)
 	}
 	err = config.processAPI()
 	if err != nil {
 		return nil, err
 	}
 	config.Server.CommandAliases, err = normalizeCommandAliases(config.Server.CommandAliases)
 	if err != nil {
 		return nil, err
 	}
 	// now that all postprocessing is complete, regenerate ISUPPORT:
 	err = config.generateISupport()
 	if err != nil {
@ -1758,7 +1627,7 @@ func (config *Config) generateISupport() (err error) {
 	}
 	isupport.Add("CASEMAPPING", casemappingToken)
 	isupport.Add("CHANLIMIT", fmt.Sprintf("%s:%d", chanTypes, config.Channels.MaxChannelsPerClient))
-	isupport.Add("CHANMODES", modes.ChanmodesToken())
+	isupport.Add("CHANMODES", chanmodesToken)
 	if config.History.Enabled && config.History.ChathistoryMax > 0 {
 		isupport.Add("CHATHISTORY", strconv.Itoa(config.History.ChathistoryMax))
 		// Kiwi expects this legacy token name:
@ -1787,8 +1656,6 @@ func (config *Config) generateISupport() (err error) {
 		isupport.Add("RPCHAN", "E")
 		isupport.Add("RPUSER", "E")
 	}
 	isupport.Add("SAFELIST", "")
 	isupport.Add("SAFERATE", "")
 	isupport.Add("STATUSMSG", "~&@%+")
 	isupport.Add("TARGMAX", fmt.Sprintf("NAMES:1,LIST:1,KICK:,WHOIS:1,USERHOST:10,PRIVMSG:%s,TAGMSG:%s,NOTICE:%s,MONITOR:%d", maxTargetsString, maxTargetsString, maxTargetsString, config.Limits.MonitorEntries))
 	isupport.Add("TOPICLEN", strconv.Itoa(config.Limits.TopicLen))
@ -1798,21 +1665,8 @@ func (config *Config) generateISupport() (err error) {
 	if config.Server.EnforceUtf8 {
 		isupport.Add("UTF8ONLY", "")
 	}
 	if config.WebPush.Enabled {
 		// XXX we typically don't have this at config parse time, so we'll have to regenerate
 		// the cached reply later
 		if config.WebPush.vapidKeys != nil {
 			isupport.Add("VAPID", config.WebPush.vapidKeys.PublicKeyString())
 		}
 	}
 	isupport.Add("WHOX", "")
 	for key, value := range config.Server.AdditionalISupport {
 		if !isupport.Contains(key) {
 			isupport.Add(key, value)
 		}
 	}
 	err = isupport.RegenerateCachedReply()
 	return
 }
@ -1914,9 +1768,6 @@ func (config *Config) loadMOTD() error {
 			if config.Server.MOTDFormatting {
 				lineToSend = ircfmt.Unescape(lineToSend)
 			}
 			if config.Server.EnforceUtf8 && !utf8.ValidString(lineToSend) {
 				return fmt.Errorf("Line %d of MOTD contains invalid UTF8", i+1)
 			}
 			// "- " is the required prefix for MOTD
 			lineToSend = fmt.Sprintf("- %s", lineToSend)
 			config.Server.motdLines = append(config.Server.motdLines, lineToSend)
@ -1924,22 +1775,3 @@ func (config *Config) loadMOTD() error {
 	}
 	return nil
 }
 func normalizeCommandAliases(aliases map[string]string) (normalizedAliases map[string]string, err error) {
 	if len(aliases) == 0 {
 		return nil, nil
 	}
 	normalizedAliases = make(map[string]string, len(aliases))
 	for alias, command := range aliases {
 		alias = strings.ToUpper(alias)
 		command = strings.ToUpper(command)
 		if _, found := Commands[alias]; found {
 			return nil, fmt.Errorf("Command alias `%s` collides with a real Ergo command", alias)
 		}
 		if _, found := Commands[command]; !found {
 			return nil, fmt.Errorf("Command alias `%s` mapped to non-existent Ergo command `%s`", alias, command)
 		}
 		normalizedAliases[alias] = command
 	}
 	return normalizedAliases, nil
 }
--- a/irc/database.go
+++ b/irc/database.go
@ -18,7 +18,6 @@ import (
 	"github.com/ergochat/ergo/irc/datastore"
 	"github.com/ergochat/ergo/irc/modes"
 	"github.com/ergochat/ergo/irc/utils"
 	"github.com/ergochat/ergo/irc/webpush"
 	"github.com/tidwall/buntdb"
 )
@ -28,17 +27,15 @@ const (
 	// 'version' of the database schema
 	// latest schema of the db
-	latestDbSchema = 24
+	latestDbSchema = 23
 )
 var (
 	schemaVersionUUID = utils.UUID{0, 255, 85, 13, 212, 10, 191, 121, 245, 152, 142, 89, 97, 141, 219, 87}    // AP9VDdQKv3n1mI5ZYY3bVw
 	cloakSecretUUID   = utils.UUID{170, 214, 184, 208, 116, 181, 67, 75, 161, 23, 233, 16, 113, 251, 94, 229} // qta40HS1Q0uhF-kQcfte5Q
 	vapidKeysUUID     = utils.UUID{87, 215, 189, 5, 65, 105, 249, 44, 65, 96, 170, 56, 187, 110, 12, 235}     // V9e9BUFp-SxBYKo4u24M6w
 	keySchemaVersion = bunt.BuntKey(datastore.TableMetadata, schemaVersionUUID)
 	keyCloakSecret   = bunt.BuntKey(datastore.TableMetadata, cloakSecretUUID)
 	keyVAPIDKeys     = bunt.BuntKey(datastore.TableMetadata, vapidKeysUUID)
 )
 type SchemaChanger func(*Config, *buntdb.Tx) error
@ -83,15 +80,6 @@ func initializeDB(path string) error {
 		// set schema version
 		tx.Set(keySchemaVersion, strconv.Itoa(latestDbSchema), nil)
 		tx.Set(keyCloakSecret, utils.GenerateSecretKey(), nil)
 		vapidKeys, err := webpush.GenerateVAPIDKeys()
 		if err != nil {
 			return err
 		}
 		j, err := json.Marshal(vapidKeys)
 		if err != nil {
 			return err
 		}
 		tx.Set(keyVAPIDKeys, string(j), nil)
 		return nil
 	})
@ -245,16 +233,6 @@ func StoreCloakSecret(dstore datastore.Datastore, secret string) {
 	dstore.Set(datastore.TableMetadata, cloakSecretUUID, []byte(secret), time.Time{})
 }
 func LoadVAPIDKeys(dstore datastore.Datastore) (*webpush.VAPIDKeys, error) {
 	val, err := dstore.Get(datastore.TableMetadata, vapidKeysUUID)
 	if err != nil {
 		return nil, err
 	}
 	result := new(webpush.VAPIDKeys)
 	err = json.Unmarshal([]byte(val), result)
 	return result, nil
 }
 func schemaChangeV1toV2(config *Config, tx *buntdb.Tx) error {
 	// == version 1 -> 2 ==
 	// account key changes and account.verified key bugfix.
@ -1240,20 +1218,6 @@ func schemaChangeV22ToV23(config *Config, tx *buntdb.Tx) error {
 	return nil
 }
 // webpush signing key
 func schemaChangeV23ToV24(config *Config, tx *buntdb.Tx) error {
 	keys, err := webpush.GenerateVAPIDKeys()
 	if err != nil {
 		return err
 	}
 	j, err := json.Marshal(keys)
 	if err != nil {
 		return err
 	}
 	tx.Set(keyVAPIDKeys, string(j), nil)
 	return nil
 }
 func getSchemaChange(initialVersion int) (result SchemaChange, ok bool) {
 	for _, change := range allChanges {
 		if initialVersion == change.InitialVersion {
@ -1374,9 +1338,4 @@ var allChanges = []SchemaChange{
 		TargetVersion:  23,
 		Changer:        schemaChangeV22ToV23,
 	},
 	{
 		InitialVersion: 23,
 		TargetVersion:  24,
 		Changer:        schemaChangeV23ToV24,
 	},
 }
--- a/irc/email/dkim.go
+++ b/irc/email/dkim.go
@ -4,18 +4,9 @@
 package email
 import (
 	"bytes"
 	"crypto"
 	"crypto/ed25519"
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
-	"fmt"
+	dkim "github.com/toorop/go-dkim"
 	"os"
 	dkim "github.com/emersion/go-msgauth/dkim"
 )
 var (
@ -26,77 +17,38 @@ type DKIMConfig struct {
 	Domain   string
 	Selector string
 	KeyFile  string `yaml:"key-file"`
-	privKey  crypto.Signer
+	keyBytes []byte
 }
 func (dkim *DKIMConfig) Enabled() bool {
 	return dkim.Domain != ""
 }
 func (dkim *DKIMConfig) Postprocess() (err error) {
-	if !dkim.Enabled() {
+	if dkim.Domain != "" {
 		return nil
 	}
 		if dkim.Selector == "" || dkim.KeyFile == "" {
 			return ErrMissingFields
 		}
-
+		dkim.keyBytes, err = os.ReadFile(dkim.KeyFile)
 	keyBytes, err := os.ReadFile(dkim.KeyFile)
 		if err != nil {
-		return fmt.Errorf("Could not read DKIM key file: %w", err)
+			return err
 		}
 	dkim.privKey, err = parseDKIMPrivKey(keyBytes)
 	if err != nil {
 		return fmt.Errorf("Could not parse DKIM key file: %w", err)
 	}
 	return nil
 }
-func parseDKIMPrivKey(input []byte) (crypto.Signer, error) {
+var defaultOptions = dkim.SigOptions{
-	if len(input) == 0 {
+	Version:               1,
-		return nil, errors.New("DKIM private key is empty")
+	Canonicalization:      "relaxed/relaxed",
-	}
+	Algo:                  "rsa-sha256",
-
+	Headers:               []string{"from", "to", "subject", "message-id", "date"},
-	// raw ed25519 private key format
+	BodyLength:            0,
-	if len(input) == ed25519.PrivateKeySize {
+	QueryMethods:          []string{"dns/txt"},
-		return ed25519.PrivateKey(input), nil
+	AddSignatureTimestamp: true,
-	}
+	SignatureExpireIn:     0,
 	d, _ := pem.Decode(input)
 	if d == nil {
 		return nil, errors.New("Invalid PEM data for DKIM private key")
 	}
 	if rsaKey, err := x509.ParsePKCS1PrivateKey(d.Bytes); err == nil {
 		return rsaKey, nil
 	}
 	if k, err := x509.ParsePKCS8PrivateKey(d.Bytes); err == nil {
 		switch key := k.(type) {
 		case *rsa.PrivateKey:
 			return key, nil
 		case ed25519.PrivateKey:
 			return key, nil
 		default:
 			return nil, fmt.Errorf("Unacceptable type for DKIM private key: %T", k)
 		}
 	}
 	return nil, errors.New("No acceptable format for DKIM private key")
 }
 func DKIMSign(message []byte, dkimConfig DKIMConfig) (result []byte, err error) {
-	options := dkim.SignOptions{
+	options := defaultOptions
-		Domain:                 dkimConfig.Domain,
+	options.PrivateKey = dkimConfig.keyBytes
-		Selector:               dkimConfig.Selector,
+	options.Domain = dkimConfig.Domain
-		Signer:                 dkimConfig.privKey,
+	options.Selector = dkimConfig.Selector
-		HeaderCanonicalization: dkim.CanonicalizationRelaxed,
+	err = dkim.Sign(&message, options)
-		BodyCanonicalization:   dkim.CanonicalizationRelaxed,
+	return message, err
 	}
 	input := bytes.NewBuffer(message)
 	output := bytes.NewBuffer(make([]byte, 0, len(message)+1024))
 	err = dkim.Sign(output, input, &options)
 	return output.Bytes(), err
 }
--- a/irc/email/email.go
+++ b/irc/email/email.go
@ -233,7 +233,7 @@ func SendMail(config MailtoConfig, recipient string, msg []byte) (err error) {
 		}
 	}
-	if config.DKIM.Enabled() {
+	if config.DKIM.Domain != "" {
 		msg, err = DKIMSign(msg, config.DKIM)
 		if err != nil {
 			return
--- a/irc/errors.go
+++ b/irc/errors.go
@ -33,7 +33,6 @@ var (
 	errAccountVerificationInvalidCode = errors.New("Invalid account verification code")
 	errAccountUpdateFailed            = errors.New(`Error while updating your account information`)
 	errAccountMustHoldNick            = errors.New(`You must hold that nickname in order to register it`)
 	errAuthRequired                   = errors.New("You must be logged into an account to do this")
 	errAuthzidAuthcidMismatch         = errors.New(`authcid and authzid must be the same`)
 	errCertfpAlreadyExists            = errors.New(`An account already exists for your certificate fingerprint`)
 	errChannelNotOwnedByAccount       = errors.New("Channel not owned by the specified account")
--- a/irc/flock/flock.go
+++ b/irc/flock/flock.go
@ -1,4 +1,4 @@
-//go:build !(plan9 || solaris)
+//go:build !plan9
 package flock
--- a/irc/flock/flock_unsupported.go
+++ b/irc/flock/flock_unsupported.go
@ -1,4 +1,4 @@
-//go:build plan9 || solaris
+//go:build plan9
 package flock
--- a/irc/gateways.go
+++ b/irc/gateways.go
@ -92,7 +92,7 @@ func (client *Client) ApplyProxiedIP(session *Session, proxiedIP net.IP, tls boo
 	client.server.connectionLimiter.RemoveClient(flatip.FromNetIP(session.realIP))
 	// given IP is sane! override the client's current IP
-	client.server.logger.Info("connect-ip", session.connID, "Accepted proxy IP for client", proxiedIP.String())
+	client.server.logger.Info("connect-ip", "Accepted proxy IP for client", proxiedIP.String())
 	client.stateMutex.Lock()
 	defer client.stateMutex.Unlock()
--- a/irc/getters.go
+++ b/irc/getters.go
@ -7,14 +7,12 @@ import (
 	"fmt"
 	"maps"
 	"net"
 	"slices"
 	"time"
 	"github.com/ergochat/ergo/irc/caps"
 	"github.com/ergochat/ergo/irc/languages"
 	"github.com/ergochat/ergo/irc/modes"
 	"github.com/ergochat/ergo/irc/utils"
 	"github.com/ergochat/ergo/irc/webpush"
 )
 func (server *Server) Config() (config *Config) {
@ -56,7 +54,6 @@ type SessionData struct {
 	certfp    string
 	deviceID  string
 	connInfo  string
 	connID    string
 	sessionID int64
 	caps      []string
 }
@ -77,7 +74,6 @@ func (client *Client) AllSessionData(currentSession *Session, hasPrivs bool) (da
 			hostname:  session.rawHostname,
 			certfp:    session.certfp,
 			deviceID:  session.deviceID,
 			connID:    session.connID,
 			sessionID: session.sessionID,
 		}
 		if session.proxiedIP != nil {
@ -111,8 +107,8 @@ func (client *Client) AddSession(session *Session) (success bool, numSessions in
 	newSessions[len(newSessions)-1] = session
 	if client.accountSettings.AutoreplayMissed || session.deviceID != "" {
 		lastSeen = client.lastSeen[session.deviceID]
 	}
 		client.setLastSeen(time.Now().UTC(), session.deviceID)
 	}
 	client.sessions = newSessions
 	wasAway = client.awayMessage
 	if client.autoAwayEnabledNoMutex(config) {
@ -224,13 +220,6 @@ func (session *Session) SetAway(awayMessage string) (wasAway, nowAway string) {
 	return
 }
 func (session *Session) ConnID() string {
 	if session == nil {
 		return "*"
 	}
 	return session.connID
 }
 func (client *Client) autoAwayEnabledNoMutex(config *Config) bool {
 	return client.registered && client.alwaysOn &&
 		persistenceEnabled(config.Accounts.Multiclient.AutoAway, client.accountSettings.AutoAway)
@ -497,9 +486,6 @@ func (client *Client) checkAlwaysOnExpirationNoMutex(config *Config, ignoreRegis
 	if !((client.registered || ignoreRegistration) && client.alwaysOn) {
 		return false
 	}
 	if len(client.lastSeen) == 0 {
 		return true // #2252: do not precreate the client if it was never logged into at all
 	}
 	deadline := time.Duration(config.Accounts.Multiclient.AlwaysOnExpiration)
 	if deadline == 0 {
 		return false
@ -518,18 +504,11 @@ func (client *Client) GetReadMarker(cfname string) (result string) {
 	t, ok := client.readMarkers[cfname]
 	client.stateMutex.RUnlock()
 	if ok {
-		return fmt.Sprintf("timestamp=%s", t.Format(utils.IRCv3TimestampFormat))
+		return fmt.Sprintf("timestamp=%s", t.Format(IRCv3TimestampFormat))
 	}
 	return "*"
 }
 func (client *Client) getMarkreadTime(cfname string) (timestamp time.Time, ok bool) {
 	client.stateMutex.RLock()
 	timestamp, ok = client.readMarkers[cfname]
 	client.stateMutex.RUnlock()
 	return
 }
 func (client *Client) copyReadMarkers() (result map[string]time.Time) {
 	client.stateMutex.RLock()
 	defer client.stateMutex.RUnlock()
@ -568,28 +547,6 @@ func updateLRUMap(lru map[string]time.Time, key string, val time.Time, maxItems
 	return val
 }
 func (client *Client) addClearablePushMessage(cftarget string, messageTime time.Time) {
 	client.stateMutex.Lock()
 	defer client.stateMutex.Unlock()
 	if client.clearablePushMessages == nil {
 		client.clearablePushMessages = make(map[string]time.Time)
 	}
 	updateLRUMap(client.clearablePushMessages, cftarget, messageTime, maxReadMarkers)
 }
 func (client *Client) clearClearablePushMessage(cftarget string, readTimestamp time.Time) (ok bool) {
 	client.stateMutex.Lock()
 	defer client.stateMutex.Unlock()
 	pushMessageTime, ok := client.clearablePushMessages[cftarget]
 	if ok && utils.ReadMarkerLessThanOrEqual(pushMessageTime, readTimestamp) {
 		delete(client.clearablePushMessages, cftarget)
 		return true
 	}
 	return false
 }
 func (client *Client) shouldFlushTimestamps() (result bool) {
 	client.stateMutex.Lock()
 	defer client.stateMutex.Unlock()
@ -605,134 +562,6 @@ func (client *Client) setKlined() {
 	client.stateMutex.Unlock()
 }
 func (client *Client) refreshPushSubscription(endpoint string, keys webpush.Keys) bool {
 	// do not mark dirty --- defer the write to periodic maintenance
 	now := time.Now().UTC()
 	client.stateMutex.Lock()
 	defer client.stateMutex.Unlock()
 	sub, ok := client.pushSubscriptions[endpoint]
 	if ok && sub.Keys.Equal(keys) {
 		sub.LastRefresh = now
 		return true
 	}
 	return false // subscription doesn't exist, we need to send a test message
 }
 func (client *Client) addPushSubscription(endpoint string, keys webpush.Keys) error {
 	changed := false
 	defer func() {
 		if changed {
 			client.markDirty(IncludeAllAttrs)
 		}
 	}()
 	config := client.server.Config()
 	now := time.Now().UTC()
 	client.stateMutex.Lock()
 	defer client.stateMutex.Unlock()
 	if client.pushSubscriptions == nil {
 		client.pushSubscriptions = make(map[string]*pushSubscription)
 	}
 	sub, ok := client.pushSubscriptions[endpoint]
 	if ok {
 		changed = !sub.Keys.Equal(keys)
 		sub.Keys = keys
 		sub.LastRefresh = now
 	} else {
 		if len(client.pushSubscriptions) >= config.WebPush.MaxSubscriptions {
 			return errLimitExceeded
 		}
 		changed = true
 		sub = newPushSubscription(storedPushSubscription{
 			Endpoint:    endpoint,
 			Keys:        keys,
 			LastRefresh: now,
 			LastSuccess: now, // assume we just sent a successful message to confirm the sub
 		})
 		client.pushSubscriptions[endpoint] = sub
 	}
 	if changed {
 		client.rebuildPushSubscriptionCache()
 	}
 	return nil
 }
 func (client *Client) hasPushSubscriptions() bool {
 	return client.pushSubscriptionsExist.Load() != 0
 }
 func (client *Client) getPushSubscriptions(refresh bool) []storedPushSubscription {
 	if refresh {
 		func() {
 			client.stateMutex.Lock()
 			defer client.stateMutex.Unlock()
 			client.rebuildPushSubscriptionCache()
 		}()
 	}
 	client.stateMutex.RLock()
 	defer client.stateMutex.RUnlock()
 	return client.cachedPushSubscriptions
 }
 func (client *Client) rebuildPushSubscriptionCache() {
 	// must hold write lock
 	if len(client.pushSubscriptions) == 0 {
 		client.cachedPushSubscriptions = nil
 		client.pushSubscriptionsExist.Store(0)
 		return
 	}
 	client.cachedPushSubscriptions = make([]storedPushSubscription, 0, len(client.pushSubscriptions))
 	for _, subscription := range client.pushSubscriptions {
 		client.cachedPushSubscriptions = append(client.cachedPushSubscriptions, subscription.storedPushSubscription)
 	}
 	client.pushSubscriptionsExist.Store(1)
 }
 func (client *Client) deletePushSubscription(endpoint string, writeback bool) (changed bool) {
 	defer func() {
 		if writeback && changed {
 			client.markDirty(IncludeAllAttrs)
 		}
 	}()
 	client.stateMutex.Lock()
 	defer client.stateMutex.Unlock()
 	_, ok := client.pushSubscriptions[endpoint]
 	if ok {
 		changed = true
 		delete(client.pushSubscriptions, endpoint)
 		client.rebuildPushSubscriptionCache()
 	}
 	return
 }
 func (client *Client) recordPush(endpoint string, success bool) {
 	now := time.Now().UTC()
 	client.stateMutex.Lock()
 	defer client.stateMutex.Unlock()
 	subscription, ok := client.pushSubscriptions[endpoint]
 	if !ok {
 		return
 	}
 	if success {
 		subscription.LastSuccess = now
 	}
 	// TODO we may want to track failures in some way in the future
 }
 func (channel *Channel) Name() string {
 	channel.stateMutex.RLock()
 	defer channel.stateMutex.RUnlock()
@ -798,12 +627,10 @@ func (channel *Channel) Settings() (result ChannelSettings) {
 }
 func (channel *Channel) SetSettings(settings ChannelSettings) {
 	defer channel.MarkDirty(IncludeSettings)
 	channel.stateMutex.Lock()
 	defer channel.stateMutex.Unlock()
 	channel.settings = settings
 	channel.stateMutex.Unlock()
 	channel.MarkDirty(IncludeSettings)
 }
 func (channel *Channel) setForward(forward string) {
@ -830,212 +657,3 @@ func (channel *Channel) UUID() utils.UUID {
 	defer channel.stateMutex.RUnlock()
 	return channel.uuid
 }
 func (session *Session) isSubscribedTo(key string) bool {
 	session.client.stateMutex.RLock()
 	defer session.client.stateMutex.RUnlock()
 	return session.metadataSubscriptions.Has(key)
 }
 func (session *Session) SubscribeTo(keys ...string) ([]string, error) {
 	maxSubs := session.client.server.Config().Metadata.MaxSubs
 	session.client.stateMutex.Lock()
 	defer session.client.stateMutex.Unlock()
 	if session.metadataSubscriptions == nil {
 		session.metadataSubscriptions = make(utils.HashSet[string])
 	}
 	var added []string
 	for _, k := range keys {
 		if !session.metadataSubscriptions.Has(k) {
 			if len(session.metadataSubscriptions) > maxSubs {
 				return added, errMetadataTooManySubs
 			}
 			added = append(added, k)
 			session.metadataSubscriptions.Add(k)
 		}
 	}
 	return added, nil
 }
 func (session *Session) UnsubscribeFrom(keys ...string) []string {
 	session.client.stateMutex.Lock()
 	defer session.client.stateMutex.Unlock()
 	var removed []string
 	for k := range session.metadataSubscriptions {
 		if slices.Contains(keys, k) {
 			removed = append(removed, k)
 			session.metadataSubscriptions.Remove(k)
 		}
 	}
 	return removed
 }
 func (session *Session) MetadataSubscriptions() utils.HashSet[string] {
 	session.client.stateMutex.Lock()
 	defer session.client.stateMutex.Unlock()
 	return maps.Clone(session.metadataSubscriptions)
 }
 func (channel *Channel) GetMetadata(key string) (string, bool) {
 	channel.stateMutex.RLock()
 	defer channel.stateMutex.RUnlock()
 	val, ok := channel.metadata[key]
 	return val, ok
 }
 func (channel *Channel) SetMetadata(key string, value string, limit int) (updated bool, err error) {
 	defer channel.MarkDirty(IncludeAllAttrs)
 	channel.stateMutex.Lock()
 	defer channel.stateMutex.Unlock()
 	if channel.metadata == nil {
 		channel.metadata = make(map[string]string)
 	}
 	existing, ok := channel.metadata[key]
 	if !ok && len(channel.metadata) >= limit {
 		return false, errLimitExceeded
 	}
 	updated = !ok || value != existing
 	if updated {
 		channel.metadata[key] = value
 	}
 	return updated, nil
 }
 func (channel *Channel) ListMetadata() map[string]string {
 	channel.stateMutex.RLock()
 	defer channel.stateMutex.RUnlock()
 	return maps.Clone(channel.metadata)
 }
 func (channel *Channel) DeleteMetadata(key string) (updated bool) {
 	defer channel.MarkDirty(IncludeAllAttrs)
 	channel.stateMutex.Lock()
 	defer channel.stateMutex.Unlock()
 	_, updated = channel.metadata[key]
 	if updated {
 		delete(channel.metadata, key)
 	}
 	return updated
 }
 func (channel *Channel) ClearMetadata() map[string]string {
 	defer channel.MarkDirty(IncludeAllAttrs)
 	channel.stateMutex.Lock()
 	defer channel.stateMutex.Unlock()
 	oldMap := channel.metadata
 	channel.metadata = nil
 	return oldMap
 }
 func (channel *Channel) CountMetadata() int {
 	channel.stateMutex.RLock()
 	defer channel.stateMutex.RUnlock()
 	return len(channel.metadata)
 }
 func (client *Client) GetMetadata(key string) (string, bool) {
 	client.stateMutex.RLock()
 	defer client.stateMutex.RUnlock()
 	val, ok := client.metadata[key]
 	return val, ok
 }
 func (client *Client) SetMetadata(key string, value string, limit int) (updated bool, err error) {
 	client.stateMutex.Lock()
 	defer client.stateMutex.Unlock()
 	if client.metadata == nil {
 		client.metadata = make(map[string]string)
 	}
 	existing, ok := client.metadata[key]
 	if !ok && len(client.metadata) >= limit {
 		return false, errLimitExceeded
 	}
 	updated = !ok || value != existing
 	if updated {
 		client.metadata[key] = value
 	}
 	return updated, nil
 }
 func (client *Client) UpdateMetadataFromPrereg(preregData map[string]string, limit int) (updates map[string]string) {
 	updates = make(map[string]string, len(preregData))
 	client.stateMutex.Lock()
 	defer client.stateMutex.Unlock()
 	if client.metadata == nil {
 		client.metadata = make(map[string]string)
 	}
 	for k, v := range preregData {
 		// do not overwrite any existing keys
 		_, ok := client.metadata[k]
 		if ok {
 			continue
 		}
 		if len(client.metadata) >= limit {
 			return // we know this is a new key
 		}
 		client.metadata[k] = v
 		updates[k] = v
 	}
 	return
 }
 func (client *Client) ListMetadata() map[string]string {
 	client.stateMutex.RLock()
 	defer client.stateMutex.RUnlock()
 	return maps.Clone(client.metadata)
 }
 func (client *Client) DeleteMetadata(key string) (updated bool) {
 	client.stateMutex.Lock()
 	defer client.stateMutex.Unlock()
 	_, updated = client.metadata[key]
 	if updated {
 		delete(client.metadata, key)
 	}
 	return updated
 }
 func (client *Client) ClearMetadata() map[string]string {
 	client.stateMutex.Lock()
 	defer client.stateMutex.Unlock()
 	oldMap := client.metadata
 	client.metadata = nil
 	return oldMap
 }
 func (client *Client) CountMetadata() int {
 	client.stateMutex.RLock()
 	defer client.stateMutex.RUnlock()
 	return len(client.metadata)
 }
--- a/irc/handlers.go
+++ b/irc/handlers.go
@ -9,13 +9,11 @@ package irc
 import (
 	"bytes"
 	"fmt"
 	"maps"
 	"net"
 	"os"
 	"runtime"
 	"runtime/debug"
 	"runtime/pprof"
 	"slices"
 	"sort"
 	"strconv"
 	"strings"
@ -35,7 +33,6 @@ import (
 	"github.com/ergochat/ergo/irc/oauth2"
 	"github.com/ergochat/ergo/irc/sno"
 	"github.com/ergochat/ergo/irc/utils"
 	"github.com/ergochat/ergo/irc/webpush"
 )
 // helper function to parse ACC callbacks, e.g., mailto:person@example.com, tel:16505551234
@ -139,7 +136,7 @@ func sendSuccessfulAccountAuth(service *ircService, client *Client, rb *Response
 		}
 	}
-	client.server.logger.Info("accounts", rb.session.ConnID(), details.nick, "logged into account", details.accountName)
+	client.server.logger.Info("accounts", "client", details.nick, "logged into account", details.accountName)
 }
 func (server *Server) sendLoginSnomask(nickMask, accountName string) {
@ -151,8 +148,11 @@ func (server *Server) sendLoginSnomask(nickMask, accountName string) {
 // to indicate that it should be removed from the list
 func acceptHandler(server *Server, client *Client, msg ircmsg.Message, rb *ResponseBuffer) bool {
 	for _, tNick := range strings.Split(msg.Params[0], ",") {
-		tNick, negPrefix := strings.CutPrefix(tNick, "-")
+		add := true
-		add := !negPrefix
+		if strings.HasPrefix(tNick, "-") {
 			add = false
 			tNick = strings.TrimPrefix(tNick, "-")
 		}
 		target := server.clients.Get(tNick)
 		if target == nil {
@ -718,7 +718,7 @@ func chathistoryHandler(server *Server, client *Client, msg ircmsg.Message, rb *
 				for _, target := range targets {
 					name := server.UnfoldName(target.CfName)
 					rb.Add(nil, server.name, "CHATHISTORY", "TARGETS", name,
-						target.Time.Format(utils.IRCv3TimestampFormat))
+						target.Time.Format(IRCv3TimestampFormat))
 				}
 			} else if channel != nil {
 				channel.replayHistoryItems(rb, items, true)
@ -753,15 +753,7 @@ func chathistoryHandler(server *Server, client *Client, msg ircmsg.Message, rb *
 			msgid, err = history.NormalizeMsgid(value), nil
 			return
 		} else if identifier == "timestamp" {
-			timestamp, err = time.Parse(utils.IRCv3TimestampFormat, value)
+			timestamp, err = time.Parse(IRCv3TimestampFormat, value)
 			if err == nil {
 				timestamp = timestamp.UTC()
 				if timestamp.Before(unixEpoch) {
 					timestamp = unixEpoch
 				} else if timestamp.After(year2262Problem) {
 					timestamp = year2262Problem
 				}
 			}
 			return
 		}
 		return
@ -772,7 +764,7 @@ func chathistoryHandler(server *Server, client *Client, msg ircmsg.Message, rb *
 			return maxChathistoryLimit
 		}
 		limit, err := strconv.Atoi(msg.Params[paramIndex])
-		if err != nil || limit <= 0 || limit > maxChathistoryLimit {
+		if err != nil || limit == 0 || limit > maxChathistoryLimit {
 			limit = maxChathistoryLimit
 		}
 		return
@ -863,6 +855,7 @@ func debugHandler(server *Server, client *Client, msg ircmsg.Message, rb *Respon
 	switch param {
 	case "GCSTATS":
 		stats := debug.GCStats{
 			Pause:          make([]time.Duration, 10),
 			PauseQuantiles: make([]time.Duration, 5),
 		}
 		debug.ReadGCStats(&stats)
@ -1328,15 +1321,6 @@ func isonHandler(server *Server, client *Client, msg ircmsg.Message, rb *Respons
 	return false
 }
 // ISUPPORT
 func isupportHandler(server *Server, client *Client, msg ircmsg.Message, rb *ResponseBuffer) bool {
 	server.RplISupport(client, rb)
 	if !client.registered {
 		rb.session.isupportSentPrereg = true
 	}
 	return false
 }
 // JOIN <channel>{,<channel>} [<key>{,<key>}]
 func joinHandler(server *Server, client *Client, msg ircmsg.Message, rb *ResponseBuffer) bool {
 	// #1417: allow `JOIN 0` with a confirmation code
@ -1644,7 +1628,7 @@ func klineHandler(server *Server, client *Client, msg ircmsg.Message, rb *Respon
 	// get comment(s)
 	reason, operReason := getReasonsFromParams(msg.Params, currentArg)
-	err = server.klines.AddMask(mask, duration, false, reason, operReason, operName)
+	err = server.klines.AddMask(mask, duration, reason, operReason, operName)
 	if err != nil {
 		rb.Notice(fmt.Sprintf(client.t("Could not successfully save new K-LINE: %s"), err.Error()))
 		return false
@ -1859,14 +1843,14 @@ func cmodeHandler(server *Server, client *Client, msg ircmsg.Message, rb *Respon
 	if 1 < len(msg.Params) {
 		// parse out real mode changes
 		params := msg.Params[1:]
-		var unknown []rune
+		var unknown map[rune]bool
 		changes, unknown = modes.ParseChannelModeChanges(params...)
 		// alert for unknown mode changes
-		for _, char := range unknown {
+		for char := range unknown {
 			rb.Add(nil, server.name, ERR_UNKNOWNMODE, client.nick, string(char), client.t("is an unknown mode character to me"))
 		}
-		if len(unknown) != 0 && len(changes) == 0 {
+		if len(unknown) == 1 && len(changes) == 0 {
 			return false
 		}
 	}
@ -1950,10 +1934,10 @@ func umodeHandler(server *Server, client *Client, msg ircmsg.Message, rb *Respon
 		changes, unknown := modes.ParseUserModeChanges(params...)
 		// alert for unknown mode changes
-		for _, char := range unknown {
+		for char := range unknown {
 			rb.Add(nil, server.name, ERR_UNKNOWNMODE, cDetails.nick, string(char), client.t("is an unknown mode character to me"))
 		}
-		if len(unknown) != 0 && len(changes) == 0 {
+		if len(unknown) == 1 && len(changes) == 0 {
 			return false
 		}
@ -2200,7 +2184,6 @@ func validateLineLen(msgType history.ItemType, source, target, payload string) (
 	default:
 		return true
 	}
 	limit -= len(target)
 	limit -= len(payload)
 	return limit >= 0
 }
@ -2473,20 +2456,6 @@ func dispatchMessageToTarget(client *Client, tags map[string]string, histType hi
 			Tags:    tags,
 		}
 		client.addHistoryItem(user, item, &details, &tDetails, config)
 		if config.WebPush.Enabled && histType != history.Tagmsg && user.hasPushSubscriptions() && client != user {
 			pushMsgBytes, err := webpush.MakePushMessage(command, nickMaskString, accountName, tnick, message)
 			if err == nil {
 				user.dispatchPushMessage(pushMessage{
 					msg:      pushMsgBytes,
 					urgency:  webpush.UrgencyHigh,
 					cftarget: details.nickCasefolded,
 					time:     message.Time,
 				})
 			} else {
 				server.logger.Error("internal", "can't serialize push message", err.Error())
 			}
 		}
 	}
 }
@ -2909,23 +2878,11 @@ func quitHandler(server *Server, client *Client, msg ircmsg.Message, rb *Respons
 // REGISTER < account | * > < email | * > <password>
 func registerHandler(server *Server, client *Client, msg ircmsg.Message, rb *ResponseBuffer) (exiting bool) {
-	var accountName string
+	accountName := client.Nick()
-	if client.registered {
+	if accountName == "*" {
 		accountName = client.Nick()
 	} else {
 		accountName = client.preregNick
 	}
 	config := server.Config()
 	if client.registered && config.Accounts.NickReservation.ForceGuestFormat {
 		matches := config.Accounts.NickReservation.guestRegexp.FindStringSubmatch(accountName)
 		if matches == nil || len(matches) < 2 {
 			rb.Add(nil, server.name, "FAIL", "REGISTER", "INVALID_USERNAME", utils.SafeErrorParam(accountName), client.t("Username invalid or not given"))
 			return
 		}
 		accountName = matches[1]
 	}
 	switch msg.Params[0] {
 	case "*", accountName:
 		// ok
@ -2942,6 +2899,7 @@ func registerHandler(server *Server, client *Client, msg ircmsg.Message, rb *Res
 		return
 	}
 	config := server.Config()
 	if !config.Accounts.Registration.Enabled {
 		rb.Add(nil, server.name, "FAIL", "REGISTER", "DISALLOWED", accountName, client.t("Account registration is disabled"))
 		return
@ -2987,7 +2945,7 @@ func registerHandler(server *Server, client *Client, msg ircmsg.Message, rb *Res
 			announcePendingReg(client, rb, accountName)
 		}
 	case errAccountAlreadyRegistered, errAccountAlreadyUnregistered, errAccountMustHoldNick:
-		rb.Add(nil, server.name, "FAIL", "REGISTER", "ACCOUNT_EXISTS", accountName, client.t("Username is already registered or otherwise unavailable"))
+		rb.Add(nil, server.name, "FAIL", "REGISTER", "USERNAME_EXISTS", accountName, client.t("Username is already registered or otherwise unavailable"))
 	case errAccountBadPassphrase:
 		rb.Add(nil, server.name, "FAIL", "REGISTER", "INVALID_PASSWORD", accountName, client.t("Password was invalid"))
 	default:
@ -3065,14 +3023,13 @@ func markReadHandler(server *Server, client *Client, msg ircmsg.Message, rb *Res
 	// "MARKREAD client set command": MARKREAD <target> <timestamp>
 	readTimestamp := strings.TrimPrefix(msg.Params[1], "timestamp=")
-	readTime, err := time.Parse(utils.IRCv3TimestampFormat, readTimestamp)
+	readTime, err := time.Parse(IRCv3TimestampFormat, readTimestamp)
 	if err != nil {
 		rb.Add(nil, server.name, "FAIL", "MARKREAD", "INVALID_PARAMS", utils.SafeErrorParam(readTimestamp), client.t("Invalid timestamp"))
 		return
 	}
 	readTime = readTime.UTC()
 	result := client.SetReadMarker(cftarget, readTime)
-	readTimestamp = fmt.Sprintf("timestamp=%s", result.Format(utils.IRCv3TimestampFormat))
+	readTimestamp = fmt.Sprintf("timestamp=%s", result.Format(IRCv3TimestampFormat))
 	// inform the originating session whether it was a success or a no-op:
 	rb.Add(nil, server.name, "MARKREAD", unfoldedTarget, readTimestamp)
 	if result.Equal(readTime) {
@ -3083,291 +3040,10 @@ func markReadHandler(server *Server, client *Client, msg ircmsg.Message, rb *Res
 				session.Send(nil, server.name, "MARKREAD", unfoldedTarget, readTimestamp)
 			}
 		}
 		if client.clearClearablePushMessage(cftarget, readTime) {
 			line, err := webpush.MakePushLine(time.Now().UTC(), "*", server.name, "MARKREAD", unfoldedTarget, readTimestamp)
 			if err == nil {
 				client.dispatchPushMessage(pushMessage{
 					msg:                 line,
 					originatingEndpoint: rb.session.webPushEndpoint,
 					urgency:             webpush.UrgencyNormal, // copied from soju
 				})
 			} else {
 				server.logger.Error("internal", "couldn't serialize MARKREAD push message", err.Error())
 			}
 		}
 	}
 	return
 }
 // METADATA <target> <subcommand> [<and so on>...]
 func metadataHandler(server *Server, client *Client, msg ircmsg.Message, rb *ResponseBuffer) (exiting bool) {
 	config := server.Config()
 	if !config.Metadata.Enabled {
 		rb.Add(nil, server.name, "FAIL", "METADATA", "FORBIDDEN", utils.SafeErrorParam(msg.Params[0]), "Metadata is disabled on this server")
 		return
 	}
 	subcommand := strings.ToLower(msg.Params[1])
 	needsKey := subcommand == "set" || subcommand == "get" || subcommand == "sub" || subcommand == "unsub"
 	if needsKey && len(msg.Params) < 3 {
 		rb.Add(nil, server.name, ERR_NEEDMOREPARAMS, client.Nick(), msg.Command, client.t("Not enough parameters"))
 		return
 	}
 	switch subcommand {
 	case "sub", "unsub", "subs":
 		// these are session-local and function the same whether or not the client is registered
 		return metadataSubsHandler(client, subcommand, msg.Params, rb)
 	case "get", "set", "list", "clear", "sync":
 		if client.registered {
 			return metadataRegisteredHandler(client, config, subcommand, msg.Params, rb)
 		} else {
 			return metadataUnregisteredHandler(client, config, subcommand, msg.Params, rb)
 		}
 	default:
 		rb.Add(nil, server.name, "FAIL", "METADATA", "SUBCOMMAND_INVALID", utils.SafeErrorParam(msg.Params[1]), client.t("Invalid subcommand"))
 		return
 	}
 }
 // metadataRegisteredHandler handles metadata-modifying commands from registered clients
 func metadataRegisteredHandler(client *Client, config *Config, subcommand string, params []string, rb *ResponseBuffer) (exiting bool) {
 	server := client.server
 	target := params[0]
 	noKeyPerms := func(key string) {
 		rb.Add(nil, server.name, "FAIL", "METADATA", "KEY_NO_PERMISSION", target, key, client.t("You do not have permission to perform this action"))
 	}
 	if target == "*" {
 		target = client.Nick()
 	}
 	var targetObj MetadataHaver
 	var targetClient *Client
 	var targetChannel *Channel
 	if strings.HasPrefix(target, "#") {
 		targetChannel = server.channels.Get(target)
 		if targetChannel != nil {
 			targetObj = targetChannel
 			target = targetChannel.Name() // canonicalize case
 		}
 	} else {
 		targetClient = server.clients.Get(target)
 		if targetClient != nil {
 			targetObj = targetClient
 			target = targetClient.Nick() // canonicalize case
 		}
 	}
 	if targetObj == nil {
 		rb.Add(nil, server.name, "FAIL", "METADATA", "INVALID_TARGET", target, client.t("Invalid metadata target"))
 		return
 	}
 	switch subcommand {
 	case "set":
 		key := params[2]
 		if metadataKeyIsEvil(key) {
 			rb.Add(nil, server.name, "FAIL", "METADATA", "KEY_INVALID", utils.SafeErrorParam(key), client.t("Invalid key name"))
 			return
 		}
 		if !metadataCanIEditThisKey(client, targetObj, key) {
 			noKeyPerms(key)
 			return
 		}
 		if len(params) > 3 {
 			value := params[3]
 			config := client.server.Config()
 			if failMsg := metadataValueIsEvil(config, key, value); failMsg != "" {
 				rb.Add(nil, server.name, "FAIL", "METADATA", "VALUE_INVALID", client.t(failMsg))
 				return
 			}
 			updated, err := targetObj.SetMetadata(key, value, config.Metadata.MaxKeys)
 			if err != nil {
 				// errLimitExceeded is the only possible error
 				rb.Add(nil, server.name, "FAIL", "METADATA", "LIMIT_REACHED", client.t("Too many metadata keys"))
 				return
 			}
 			// echo the value to the client whether or not there was a real update
 			rb.Add(nil, server.name, RPL_KEYVALUE, client.Nick(), target, key, "*", value)
 			if updated {
 				notifySubscribers(server, rb.session, targetObj, target, key, value, true)
 			}
 		} else {
 			if updated := targetObj.DeleteMetadata(key); updated {
 				notifySubscribers(server, rb.session, targetObj, target, key, "", false)
 				rb.Add(nil, server.name, RPL_KEYNOTSET, client.Nick(), target, key, client.t("Key deleted"))
 			} else {
 				rb.Add(nil, server.name, "FAIL", "METADATA", "KEY_NOT_SET", utils.SafeErrorParam(key), client.t("Metadata key not set"))
 			}
 		}
 	case "get":
 		if !metadataCanISeeThisTarget(client, targetObj) {
 			noKeyPerms("*")
 			return
 		}
 		batchId := rb.StartNestedBatch("metadata", target)
 		defer rb.EndNestedBatch(batchId)
 		for _, key := range params[2:] {
 			if metadataKeyIsEvil(key) {
 				rb.Add(nil, server.name, "FAIL", "METADATA", "KEY_INVALID", utils.SafeErrorParam(key), client.t("Invalid key name"))
 				continue
 			}
 			val, ok := targetObj.GetMetadata(key)
 			if !ok {
 				rb.Add(nil, server.name, RPL_KEYNOTSET, client.Nick(), target, key, client.t("Key is not set"))
 				continue
 			}
 			visibility := "*"
 			rb.Add(nil, server.name, RPL_KEYVALUE, client.Nick(), target, key, visibility, val)
 		}
 	case "list":
 		playMetadataList(rb, client.Nick(), target, targetObj.ListMetadata())
 	case "clear":
 		if !metadataCanIEditThisTarget(client, targetObj) {
 			noKeyPerms("*")
 			return
 		}
 		values := targetObj.ClearMetadata()
 		playMetadataList(rb, client.Nick(), target, values)
 	case "sync":
 		if targetChannel != nil {
 			syncChannelMetadata(server, rb, targetChannel)
 		}
 		if targetClient != nil {
 			syncClientMetadata(server, rb, targetClient)
 		}
 	}
 	return
 }
 // metadataUnregisteredHandler handles metadata-modifying commands for pre-connection-registration
 // clients. these operations act on a session-local buffer; if/when the client completes registration,
 // they are applied to the final Client object (possibly a different client if there was a reattach)
 // on a best-effort basis.
 func metadataUnregisteredHandler(client *Client, config *Config, subcommand string, params []string, rb *ResponseBuffer) (exiting bool) {
 	server := client.server
 	if params[0] != "*" {
 		rb.Add(nil, server.name, "FAIL", "METADATA", "KEY_NO_PERMISSION", utils.SafeErrorParam(params[0]), "*", client.t("You can only modify your own metadata before completing connection registration"))
 		return
 	}
 	switch subcommand {
 	case "set":
 		if rb.session.metadataPreregVals == nil {
 			rb.session.metadataPreregVals = make(map[string]string)
 		}
 		key := params[2]
 		if metadataKeyIsEvil(key) {
 			rb.Add(nil, server.name, "FAIL", "METADATA", "KEY_INVALID", utils.SafeErrorParam(key), client.t("Invalid key name"))
 			return
 		}
 		if len(params) >= 4 {
 			value := params[3]
 			// enforce a sane limit on prereg keys. we don't need to enforce the exact limit,
 			// that will be done when applying the buffer after registration
 			if len(rb.session.metadataPreregVals) > config.Metadata.MaxKeys {
 				rb.Add(nil, server.name, "FAIL", "METADATA", "LIMIT_REACHED", client.t("Too many metadata keys"))
 				return
 			}
 			if failMsg := metadataValueIsEvil(config, key, value); failMsg != "" {
 				rb.Add(nil, server.name, "FAIL", "METADATA", "VALUE_INVALID", client.t(failMsg))
 				return
 			}
 			rb.session.metadataPreregVals[key] = value
 			rb.Add(nil, server.name, RPL_KEYVALUE, "*", "*", key, "*", value)
 		} else {
 			// unset
 			_, present := rb.session.metadataPreregVals[key]
 			if present {
 				delete(rb.session.metadataPreregVals, key)
 				rb.Add(nil, server.name, RPL_KEYNOTSET, "*", "*", key, client.t("Key deleted"))
 			} else {
 				rb.Add(nil, server.name, "FAIL", "METADATA", "KEY_NOT_SET", utils.SafeErrorParam(key), client.t("Metadata key not set"))
 			}
 		}
 	case "list":
 		playMetadataList(rb, "*", "*", rb.session.metadataPreregVals)
 	case "clear":
 		oldMetadata := rb.session.metadataPreregVals
 		rb.session.metadataPreregVals = nil
 		playMetadataList(rb, "*", "*", oldMetadata)
 	case "sync":
 		rb.Add(nil, server.name, RPL_METADATASYNCLATER, "*", utils.SafeErrorParam(params[1]), "60") // lol
 	}
 	return false
 }
 // metadataSubsHandler handles subscription-related commands;
 // these are handled the same whether the client is registered or not
 func metadataSubsHandler(client *Client, subcommand string, params []string, rb *ResponseBuffer) (exiting bool) {
 	server := client.server
 	switch subcommand {
 	case "sub":
 		keys := params[2:]
 		for _, key := range keys {
 			if metadataKeyIsEvil(key) {
 				rb.Add(nil, server.name, "FAIL", "METADATA", "KEY_INVALID", utils.SafeErrorParam(key), client.t("Invalid key name"))
 				return
 			}
 		}
 		added, err := rb.session.SubscribeTo(keys...)
 		if err == errMetadataTooManySubs {
 			bad := keys[len(added)] // get the key that broke the camel's back
 			rb.Add(nil, server.name, "FAIL", "METADATA", "TOO_MANY_SUBS", utils.SafeErrorParam(bad), client.t("Too many subscriptions"))
 		}
 		lineLength := MaxLineLen - len(server.name) - len(RPL_METADATASUBOK) - len(client.Nick()) - 10
 		chunked := utils.ChunkifyParams(slices.Values(added), lineLength)
 		for _, line := range chunked {
 			params := append([]string{client.Nick()}, line...)
 			rb.Add(nil, server.name, RPL_METADATASUBOK, params...)
 		}
 	case "unsub":
 		keys := params[2:]
 		removed := rb.session.UnsubscribeFrom(keys...)
 		lineLength := MaxLineLen - len(server.name) - len(RPL_METADATAUNSUBOK) - len(client.Nick()) - 10
 		chunked := utils.ChunkifyParams(slices.Values(removed), lineLength)
 		for _, line := range chunked {
 			params := append([]string{client.Nick()}, line...)
 			rb.Add(nil, server.name, RPL_METADATAUNSUBOK, params...)
 		}
 	case "subs":
 		lineLength := MaxLineLen - len(server.name) - len(RPL_METADATASUBS) - len(client.Nick()) - 10
 		subs := rb.session.MetadataSubscriptions()
 		batchID := rb.StartNestedBatch("metadata-subs")
 		defer rb.EndNestedBatch(batchID)
 		chunked := utils.ChunkifyParams(maps.Keys(subs), lineLength)
 		for _, line := range chunked {
 			params := append([]string{client.Nick()}, line...)
 			rb.Add(nil, server.name, RPL_METADATASUBS, params...)
 		}
 	}
 	return false
 }
 // REHASH
 func rehashHandler(server *Server, client *Client, msg ircmsg.Message, rb *ResponseBuffer) bool {
 	nick := client.Nick()
@ -3905,88 +3581,6 @@ func webircHandler(server *Server, client *Client, msg ircmsg.Message, rb *Respo
 	return true
 }
 // WEBPUSH <subcommand> <endpoint> [key]
 func webpushHandler(server *Server, client *Client, msg ircmsg.Message, rb *ResponseBuffer) bool {
 	subcommand := strings.ToUpper(msg.Params[0])
 	config := server.Config()
 	if !config.WebPush.Enabled {
 		rb.Add(nil, server.name, "FAIL", "WEBPUSH", "FORBIDDEN", subcommand, client.t("Web push is disabled"))
 		return false
 	}
 	if client.Account() == "" {
 		rb.Add(nil, server.name, "FAIL", "WEBPUSH", "FORBIDDEN", subcommand, client.t("You must be logged in to receive push messages"))
 		return false
 	}
 	// XXX web push can be used to deanonymize a Tor hidden service, but we do not know
 	// whether an Ergo deployment with a Tor listener is intended to run as a hidden
 	// service, or as a single onion service where Tor is optional. Hidden service operators
 	// should disable web push. However, as a sanity check, disallow enabling it over a Tor
 	// connection:
 	if rb.session.isTor {
 		rb.Add(nil, server.name, "FAIL", "WEBPUSH", "FORBIDDEN", subcommand, client.t("Web push cannot be enabled over Tor"))
 		return false
 	}
 	endpoint := msg.Params[1]
 	if err := webpush.SanityCheckWebPushEndpoint(endpoint); err != nil {
 		rb.Add(nil, server.name, "FAIL", "WEBPUSH", "INVALID_PARAMS", subcommand, client.t("Invalid web push URL"))
 	}
 	switch subcommand {
 	case "REGISTER":
 		// allow web push enable even if they are not always-on (they just won't get push messages)
 		if len(msg.Params) < 3 {
 			rb.Add(nil, server.name, "FAIL", "WEBPUSH", "INVALID_PARAMS", subcommand, client.t("Insufficient parameters for WEBPUSH REGISTER"))
 			return false
 		}
 		keys, err := webpush.DecodeSubscriptionKeys(msg.Params[2])
 		if err != nil {
 			rb.Add(nil, server.name, "FAIL", "WEBPUSH", "INVALID_PARAMS", subcommand, client.t("Invalid subscription keys for WEBPUSH REGISTER"))
 			return false
 		}
 		if client.refreshPushSubscription(endpoint, keys) {
 			// success, don't send a test message
 			rb.Add(nil, server.name, "WEBPUSH", "REGISTER", msg.Params[1], msg.Params[2])
 			rb.session.webPushEndpoint = endpoint
 			return false
 		}
 		// send a test message
 		if err := client.sendPush(
 			endpoint,
 			keys,
 			webpush.UrgencyHigh,
 			webpush.PingMessage,
 		); err == nil {
 			if err := client.addPushSubscription(endpoint, keys); err == nil {
 				rb.Add(nil, server.name, "WEBPUSH", "REGISTER", msg.Params[1], msg.Params[2])
 				rb.session.webPushEndpoint = endpoint
 				if !client.AlwaysOn() {
 					rb.Add(nil, server.name, "WARN", "WEBPUSH", "PERSISTENCE_REQUIRED", client.t("You have enabled push notifications, but you will not receive them unless you become always-on. Try: /msg nickserv set always-on true"))
 				}
 			} else if err == errLimitExceeded {
 				rb.Add(nil, server.name, "FAIL", "WEBPUSH", "FORBIDDEN", "REGISTER", client.t("You have too many push subscriptions already"))
 			} else {
 				server.logger.Error("webpush", "Failed to add webpush subscription", err.Error())
 				rb.Add(nil, server.name, "FAIL", "WEBPUSH", "INTERNAL_ERROR", "REGISTER", client.t("An error occurred"))
 			}
 		} else {
 			server.logger.Debug("webpush", "WEBPUSH REGISTER failed validation", endpoint, err.Error())
 			rb.Add(nil, server.name, "FAIL", "WEBPUSH", "INVALID_PARAMS", "REGISTER", client.t("Test push message failed to send"))
 		}
 	case "UNREGISTER":
 		client.deletePushSubscription(endpoint, true)
 		rb.session.webPushEndpoint = ""
 		// this always succeeds
 		rb.Add(nil, server.name, "WEBPUSH", "UNREGISTER", endpoint)
 	}
 	return false
 }
 type whoxFields uint32 // bitset to hold the WHOX field values, 'a' through 'z'
 func (fields whoxFields) Add(field rune) (result whoxFields) {
@ -4397,9 +3991,9 @@ func zncHandler(server *Server, client *Client, msg ircmsg.Message, rb *Response
 // fake handler for unknown commands
 func unknownCommandHandler(server *Server, client *Client, msg ircmsg.Message, rb *ResponseBuffer) bool {
 	var message string
-	if trimmedCmd, initialSlash := strings.CutPrefix(msg.Command, "/"); initialSlash {
+	if strings.HasPrefix(msg.Command, "/") {
 		message = fmt.Sprintf(client.t("Unknown command; if you are using /QUOTE, the correct syntax is /QUOTE %[1]s, not /QUOTE %[2]s"),
-			trimmedCmd, msg.Command)
+			strings.TrimPrefix(msg.Command, "/"), msg.Command)
 	} else {
 		message = client.t("Unknown command")
 	}
--- a/irc/help.go
+++ b/irc/help.go
@ -238,10 +238,11 @@ Get an explanation of <argument>, or "index" for a list of help topics.`,
 	"history": {
 		text: `HISTORY <target> [limit]
-Replay message history. <target> can be a channel name or a nickname you have
+Replay message history. <target> can be a channel name, "me" to replay direct
-direct message history with. [limit] can be either an integer (the maximum
+message history, or a nickname to replay another client's direct message
-number of messages to replay), or a time duration like 10m or 1h (the time
+history (they must be logged into the same account as you). [limit] can be
-window within which to replay messages).`,
+either an integer (the maximum number of messages to replay), or a time
 duration like 10m or 1h (the time window within which to replay messages).`,
 	},
 	"info": {
 		text: `INFO
@ -258,11 +259,6 @@ appropriate channel privs.`,
 		text: `ISON <nickname>{ <nickname>}
 Returns whether the given nicks exist on the network.`,
 	},
 	"isupport": {
 		text: `ISUPPORT
 Returns RPL_ISUPPORT lines describing the server's capabilities.`,
 	},
 	"join": {
 		text: `JOIN <channel>{,<channel>} [<key>{,<key>}]
@ -338,12 +334,6 @@ command is processed by that server.`,
 MARKREAD updates an IRCv3 read message marker. It is not intended for use by
 end users. For more details, see the latest draft of the read-marker
 specification.`,
 	},
 	"metadata": {
 		text: `METADATA <target> <subcommand> [<everything else>...]
 Retrieve and meddle with metadata for the given target.
 Have a look at https://ircv3.net/specs/extensions/metadata for interesting technical information.`,
 	},
 	"mode": {
 		text: `MODE <target> [<modestring> [<mode arguments>...]]
@ -615,11 +605,6 @@ ircv3.net/specs/extensions/webirc.html
 the connection from the client to the gateway, such as:
 - tls: this flag indicates that the client->gateway connection is secure`,
 	},
 	"webpush": {
 		text: `WEBPUSH <subcommand> [arguments]
 Configures web push settings. Not for direct use by end users.`,
 	},
 	"who": {
 		text: `WHO <name> [o]
--- a/irc/histserv.go
+++ b/irc/histserv.go
@ -164,7 +164,7 @@ func histservExportHandler(service *ircService, server *Server, client *Client,
 	config := server.Config()
 	// don't include the account name in the filename because of escaping concerns
-	filename := fmt.Sprintf("%s-%s.json", utils.GenerateSecretToken(), time.Now().UTC().Format(utils.IRCv3TimestampFormat))
+	filename := fmt.Sprintf("%s-%s.json", utils.GenerateSecretToken(), time.Now().UTC().Format(IRCv3TimestampFormat))
 	pathname := config.getOutputPath(filename)
 	outfile, err := os.Create(pathname)
 	if err != nil {
@ -177,7 +177,7 @@ func histservExportHandler(service *ircService, server *Server, client *Client,
 }
 func histservExportAndNotify(service *ircService, server *Server, cfAccount string, outfile *os.File, filename, alertNick string) {
-	defer server.HandlePanic(nil)
+	defer server.HandlePanic()
 	defer outfile.Close()
 	writer := bufio.NewWriter(outfile)
--- a/irc/import.go
+++ b/irc/import.go
@ -17,7 +17,6 @@ import (
 	"github.com/ergochat/ergo/irc/datastore"
 	"github.com/ergochat/ergo/irc/modes"
 	"github.com/ergochat/ergo/irc/utils"
 	"github.com/ergochat/ergo/irc/webpush"
 )
 const (
@ -25,7 +24,7 @@ const (
 	// XXX instead of referencing, e.g., keyAccountExists, we should write in the string literal
 	// (to ensure that no matter what code changes happen elsewhere, we're still producing a
 	// db of the hardcoded version)
-	importDBSchemaVersion = 24
+	importDBSchemaVersion = 23
 )
 type userImport struct {
@ -83,15 +82,6 @@ func doImportDBGeneric(config *Config, dbImport databaseImport, credsType Creden
 	tx.Set(keySchemaVersion, strconv.Itoa(importDBSchemaVersion), nil)
 	tx.Set(keyCloakSecret, utils.GenerateSecretKey(), nil)
 	vapidKeys, err := webpush.GenerateVAPIDKeys()
 	if err != nil {
 		return err
 	}
 	vapidKeysJSON, err := json.Marshal(vapidKeys)
 	if err != nil {
 		return err
 	}
 	tx.Set(keyVAPIDKeys, string(vapidKeysJSON), nil)
 	cfUsernames := make(utils.HashSet[string])
 	skeletonToUsername := make(map[string]string)
--- a/irc/isupport/list.go
+++ b/irc/isupport/list.go
@ -5,12 +5,12 @@ package isupport
 import (
 	"fmt"
-	"slices"
+	"sort"
 	"strings"
 )
 const (
-	maxPayloadLength = 380
+	maxLastArgLength = 400
 	/* Modern: "As the maximum number of message parameters to any reply is 15,
 	the maximum number of RPL_ISUPPORT tokens that can be advertised is 13."
@ -47,12 +47,6 @@ func (il *List) AddNoValue(name string) {
 	il.Tokens[name] = ""
 }
 // Contains returns whether the list already contains a token
 func (il *List) Contains(name string) bool {
 	_, ok := il.Tokens[name]
 	return ok
 }
 // getTokenString gets the appropriate string for a token+value.
 func getTokenString(name string, value string) string {
 	if len(value) == 0 {
@ -64,7 +58,7 @@ func getTokenString(name string, value string) string {
 // GetDifference returns the difference between two token lists.
 func (il *List) GetDifference(newil *List) [][]string {
-	var outTokens []string
+	var outTokens sort.StringSlice
 	// append removed tokens
 	for name := range il.Tokens {
@ -90,7 +84,7 @@ func (il *List) GetDifference(newil *List) [][]string {
 		outTokens = append(outTokens, token)
 	}
-	slices.Sort(outTokens)
+	sort.Sort(outTokens)
 	// create output list
 	replies := make([][]string, 0)
@ -98,7 +92,7 @@ func (il *List) GetDifference(newil *List) [][]string {
 	var cache []string // Token list cache
 	for _, token := range outTokens {
-		if len(token)+length <= maxPayloadLength {
+		if len(token)+length <= maxLastArgLength {
 			// account for the space separating tokens
 			if len(cache) > 0 {
 				length++
@ -107,7 +101,7 @@ func (il *List) GetDifference(newil *List) [][]string {
 			length += len(token)
 		}
-		if len(cache) == maxParameters || len(token)+length >= maxPayloadLength {
+		if len(cache) == maxParameters || len(token)+length >= maxLastArgLength {
 			replies = append(replies, cache)
 			cache = make([]string, 0)
 			length = 0
@ -121,54 +115,40 @@ func (il *List) GetDifference(newil *List) [][]string {
 	return replies
 }
 func validateToken(token string) error {
 	if len(token) == 0 || token[0] == ':' || strings.Contains(token, " ") {
 		return fmt.Errorf("bad isupport token (cannot be sent as IRC parameter): `%s`", token)
 	}
 	if strings.ContainsAny(token, "\n\r\x00") {
 		return fmt.Errorf("bad isupport token (contains forbidden octets)")
 	}
 	// technically a token can be maxPayloadLength if it occurs alone,
 	// but fail it just to be safe
 	if len(token) >= maxPayloadLength {
 		return fmt.Errorf("bad isupport token (too long): `%s`", token)
 	}
 	return nil
 }
 // RegenerateCachedReply regenerates the cached RPL_ISUPPORT reply
 func (il *List) RegenerateCachedReply() (err error) {
-	var tokens []string
+	il.CachedReply = make([][]string, 0)
-	for name, value := range il.Tokens {
+	var length int     // Length of the current cache
-		token := getTokenString(name, value)
+	var cache []string // Token list cache
-		if tokenErr := validateToken(token); tokenErr == nil {
+
 			tokens = append(tokens, token)
 		} else {
 			err = tokenErr
 		}
 	}
 	// make sure we get a sorted list of tokens, needed for tests and looks nice
-	slices.Sort(tokens)
+	var tokens sort.StringSlice
 	for name := range il.Tokens {
 		tokens = append(tokens, name)
 	}
 	sort.Sort(tokens)
-	var cache []string // Tokens in current line
+	for _, name := range tokens {
-	var length int     // Length of the current line
+		token := getTokenString(name, il.Tokens[name])
-
+		if token[0] == ':' || strings.Contains(token, " ") {
-	for _, token := range tokens {
+			err = fmt.Errorf("bad isupport token (cannot contain spaces or start with :): %s", token)
-		// account for the space separating tokens
+			continue
 		if len(cache) == maxParameters || (len(token)+1)+length > maxPayloadLength {
 			il.CachedReply = append(il.CachedReply, cache)
 			cache = nil
 			length = 0
 		}
 		if len(token)+length <= maxLastArgLength {
 			// account for the space separating tokens
 			if len(cache) > 0 {
 				length++
 			}
 		length += len(token)
 			cache = append(cache, token)
 			length += len(token)
 		}
 		if len(cache) == maxParameters || len(token)+length >= maxLastArgLength {
 			il.CachedReply = append(il.CachedReply, cache)
 			cache = make([]string, 0)
 			length = 0
 		}
 	}
 	if len(cache) > 0 {
--- a/irc/isupport/list_test.go
+++ b/irc/isupport/list_test.go
@ -37,7 +37,7 @@ func TestISUPPORT(t *testing.T) {
 	}
 	if !reflect.DeepEqual(tListLong.CachedReply, longReplies) {
-		t.Errorf("Multiple output replies did not match, got [%v]", tListLong.CachedReply)
+		t.Errorf("Multiple output replies did not match, got [%v]", longReplies)
 	}
 	// create first list
--- a/irc/kline.go
+++ b/irc/kline.go
@ -66,12 +66,11 @@ func (km *KLineManager) AllBans() map[string]IPBanInfo {
 }
 // AddMask adds to the blocked list.
-func (km *KLineManager) AddMask(mask string, duration time.Duration, requireSASL bool, reason, operReason, operName string) error {
+func (km *KLineManager) AddMask(mask string, duration time.Duration, reason, operReason, operName string) error {
 	km.persistenceMutex.Lock()
 	defer km.persistenceMutex.Unlock()
 	info := IPBanInfo{
 		RequireSASL: requireSASL,
 		Reason:      reason,
 		OperReason:  operReason,
 		OperName:    operName,
@ -209,14 +208,13 @@ func (km *KLineManager) CheckMasks(masks ...string) (isBanned bool, info IPBanIn
 	for _, entryInfo := range km.entries {
 		for _, mask := range masks {
 			if entryInfo.Matcher.MatchString(mask) {
-				// apply the most stringent ban (unconditional bans override require-sasl)
+				return true, entryInfo.Info
 				if !isBanned || info.RequireSASL {
 					isBanned, info = true, entryInfo.Info
 				}
 			}
 		}
 	}
 	// no matches!
 	isBanned = false
 	return
 }
--- a/irc/message_cache.go
+++ b/irc/message_cache.go
@ -45,7 +45,7 @@ type MessageCache struct {
 func addAllTags(msg *ircmsg.Message, tags map[string]string, serverTime time.Time, msgid, accountName string, isBot bool) {
 	msg.UpdateTags(tags)
-	msg.SetTag("time", serverTime.Format(utils.IRCv3TimestampFormat))
+	msg.SetTag("time", serverTime.Format(IRCv3TimestampFormat))
 	if accountName != "*" {
 		msg.SetTag("account", accountName)
 	}
--- a/irc/metadata.go
+++ b/irc/metadata.go
@ -1,174 +0,0 @@
 package irc
 import (
 	"errors"
 	"iter"
 	"maps"
 	"regexp"
 	"unicode/utf8"
 	"github.com/ergochat/ergo/irc/caps"
 	"github.com/ergochat/ergo/irc/modes"
 )
 const (
 	// metadata key + value need to be relayable on a single IRC RPL_KEYVALUE line
 	maxCombinedMetadataLenBytes = 350
 )
 var (
 	errMetadataTooManySubs = errors.New("too many subscriptions")
 	errMetadataNotFound    = errors.New("key not found")
 )
 type MetadataHaver = interface {
 	SetMetadata(key string, value string, limit int) (updated bool, err error)
 	GetMetadata(key string) (string, bool)
 	DeleteMetadata(key string) (updated bool)
 	ListMetadata() map[string]string
 	ClearMetadata() map[string]string
 	CountMetadata() int
 }
 func notifySubscribers(server *Server, session *Session, targetObj MetadataHaver, targetName, key, value string, set bool) {
 	var recipientSessions iter.Seq[*Session]
 	switch target := targetObj.(type) {
 	case *Client:
 		// TODO this case is expensive and might warrant rate-limiting
 		friends := target.FriendsMonitors(caps.Metadata)
 		// broadcast metadata update to other connected sessions
 		for _, s := range target.Sessions() {
 			friends.Add(s)
 		}
 		recipientSessions = maps.Keys(friends)
 	case *Channel:
 		recipientSessions = target.sessionsWithCaps(caps.Metadata)
 	default:
 		return // impossible
 	}
 	broadcastMetadataUpdate(server, recipientSessions, session, targetName, key, value, set)
 }
 func broadcastMetadataUpdate(server *Server, sessions iter.Seq[*Session], originator *Session, target, key, value string, set bool) {
 	for s := range sessions {
 		// don't notify the session that made the change
 		if s == originator || !s.isSubscribedTo(key) {
 			continue
 		}
 		if set {
 			s.Send(nil, server.name, "METADATA", target, key, "*", value)
 		} else {
 			s.Send(nil, server.name, "METADATA", target, key, "*")
 		}
 	}
 }
 func syncClientMetadata(server *Server, rb *ResponseBuffer, target *Client) {
 	batchId := rb.StartNestedBatch("metadata", target.Nick())
 	defer rb.EndNestedBatch(batchId)
 	subs := rb.session.MetadataSubscriptions()
 	values := target.ListMetadata()
 	for k, v := range values {
 		if subs.Has(k) {
 			visibility := "*"
 			rb.Add(nil, server.name, "METADATA", target.Nick(), k, visibility, v)
 		}
 	}
 }
 func syncChannelMetadata(server *Server, rb *ResponseBuffer, channel *Channel) {
 	batchId := rb.StartNestedBatch("metadata", channel.Name())
 	defer rb.EndNestedBatch(batchId)
 	subs := rb.session.MetadataSubscriptions()
 	chname := channel.Name()
 	values := channel.ListMetadata()
 	for k, v := range values {
 		if subs.Has(k) {
 			visibility := "*"
 			rb.Add(nil, server.name, "METADATA", chname, k, visibility, v)
 		}
 	}
 	for _, client := range channel.Members() {
 		values := client.ListMetadata()
 		for k, v := range values {
 			if subs.Has(k) {
 				visibility := "*"
 				rb.Add(nil, server.name, "METADATA", client.Nick(), k, visibility, v)
 			}
 		}
 	}
 }
 func playMetadataList(rb *ResponseBuffer, nick, target string, values map[string]string) {
 	batchId := rb.StartNestedBatch("metadata", target)
 	defer rb.EndNestedBatch(batchId)
 	for key, val := range values {
 		visibility := "*"
 		rb.Add(nil, rb.session.client.server.name, RPL_KEYVALUE, nick, target, key, visibility, val)
 	}
 }
 func playMetadataVerbBatch(rb *ResponseBuffer, target string, values map[string]string) {
 	batchId := rb.StartNestedBatch("metadata", target)
 	defer rb.EndNestedBatch(batchId)
 	for key, val := range values {
 		visibility := "*"
 		rb.Add(nil, rb.session.client.server.name, "METADATA", target, key, visibility, val)
 	}
 }
 var validMetadataKeyRegexp = regexp.MustCompile("^[a-z0-9_./-]+$")
 func metadataKeyIsEvil(key string) bool {
 	return !validMetadataKeyRegexp.MatchString(key)
 }
 func metadataValueIsEvil(config *Config, key, value string) (failMsg string) {
 	if !globalUtf8EnforcementSetting && !utf8.ValidString(value) {
 		return `METADATA values must be UTF-8`
 	}
 	if len(key)+len(value) > maxCombinedMetadataLenBytes ||
 		(config.Metadata.MaxValueBytes > 0 && len(value) > config.Metadata.MaxValueBytes) {
 		return `Value is too long`
 	}
 	return "" // success
 }
 func metadataCanIEditThisKey(client *Client, targetObj MetadataHaver, key string) bool {
 	// no key-specific logic as yet
 	return metadataCanIEditThisTarget(client, targetObj)
 }
 func metadataCanIEditThisTarget(client *Client, targetObj MetadataHaver) bool {
 	switch target := targetObj.(type) {
 	case *Client:
 		return client == target || client.HasRoleCapabs("metadata")
 	case *Channel:
 		return target.ClientIsAtLeast(client, modes.Operator) || client.HasRoleCapabs("metadata")
 	default:
 		return false // impossible
 	}
 }
 func metadataCanISeeThisTarget(client *Client, targetObj MetadataHaver) bool {
 	switch target := targetObj.(type) {
 	case *Client:
 		return true
 	case *Channel:
 		return target.hasClient(client) || client.HasRoleCapabs("metadata")
 	default:
 		return false // impossible
 	}
 }
--- a/irc/metadata_test.go
+++ b/irc/metadata_test.go
@ -1,25 +0,0 @@
 package irc
 import "testing"
 func TestKeyCheck(t *testing.T) {
 	cases := []struct {
 		input  string
 		isEvil bool
 	}{
 		{"ImNormalButIHaveCaps", true},
 		{"imnormalandidonthavecaps", false},
 		{"ergo.chat/vendor-extension", false},
 		{"", true},
 		{":imevil", true},
 		{"im:evil", true},
 		{"key£with$not%allowed^chars", true},
 		{"key.thats_completely/normal-and.fine", false},
 	}
 	for _, c := range cases {
 		if metadataKeyIsEvil(c.input) != c.isEvil {
 			t.Errorf("%s should have returned %v. but it didn't. so that's not great", c.input, c.isEvil)
 		}
 	}
 }
--- a/irc/modes.go
+++ b/irc/modes.go
@ -116,7 +116,7 @@ func ApplyUserModeChanges(client *Client, changes modes.ModeChanges, force bool,
 }
 // parseDefaultModes uses the provided mode change parser to parse the rawModes.
-func parseDefaultModes(rawModes string, parser func(params ...string) (modes.ModeChanges, []rune)) modes.Modes {
+func parseDefaultModes(rawModes string, parser func(params ...string) (modes.ModeChanges, map[rune]bool)) modes.Modes {
 	modeChangeStrings := strings.Fields(rawModes)
 	modeChanges, _ := parser(modeChangeStrings...)
 	defaultModes := make(modes.Modes, 0)
@ -266,9 +266,9 @@ func (channel *Channel) ApplyChannelModeChanges(client *Client, isSamode bool, c
 			case modes.Add:
 				ch := client.server.channels.Get(change.Arg)
 				if ch == nil {
-					rb.Add(nil, client.server.name, ERR_INVALIDMODEPARAM, details.nick, chname, string(change.Mode), utils.SafeErrorParam(change.Arg), client.t("No such channel"))
+					rb.Add(nil, client.server.name, ERR_INVALIDMODEPARAM, details.nick, chname, string(change.Mode), utils.SafeErrorParam(change.Arg), fmt.Sprintf(client.t("No such channel")))
 				} else if ch == channel {
-					rb.Add(nil, client.server.name, ERR_INVALIDMODEPARAM, details.nick, chname, string(change.Mode), utils.SafeErrorParam(change.Arg), client.t("You can't forward a channel to itself"))
+					rb.Add(nil, client.server.name, ERR_INVALIDMODEPARAM, details.nick, chname, string(change.Mode), utils.SafeErrorParam(change.Arg), fmt.Sprintf(client.t("You can't forward a channel to itself")))
 				} else {
 					if isSamode || ch.ClientIsAtLeast(client, modes.ChannelOperator) {
 						change.Arg = ch.Name()
--- a/irc/modes/modes.go
+++ b/irc/modes/modes.go
@ -7,7 +7,7 @@ package modes
 import (
 	"fmt"
-	"slices"
+	"sort"
 	"strings"
 	"github.com/ergochat/ergo/irc/utils"
@ -189,7 +189,10 @@ func GetLowestChannelModePrefix(prefixes string) (lowest Mode) {
 //
 // ParseUserModeChanges returns the valid changes, and the list of unknown chars.
-func ParseUserModeChanges(params ...string) (changes ModeChanges, unknown []rune) {
+func ParseUserModeChanges(params ...string) (ModeChanges, map[rune]bool) {
 	changes := make(ModeChanges, 0)
 	unknown := make(map[rune]bool)
 	op := List
 	if 0 < len(params) {
@ -216,19 +219,30 @@ func ParseUserModeChanges(params ...string) (changes ModeChanges, unknown []rune
 				}
 			}
-			if slices.Contains(SupportedUserModes, Mode(mode)) {
+			var isKnown bool
-				changes = append(changes, change)
+			for _, supportedMode := range SupportedUserModes {
-			} else {
+				if rune(supportedMode) == mode {
-				unknown = append(unknown, mode)
+					isKnown = true
 					break
 				}
 			}
 			if !isKnown {
 				unknown[mode] = true
 				continue
 			}
 			changes = append(changes, change)
 		}
 	}
 	return changes, unknown
 }
 // ParseChannelModeChanges returns the valid changes, and the list of unknown chars.
-func ParseChannelModeChanges(params ...string) (changes ModeChanges, unknown []rune) {
+func ParseChannelModeChanges(params ...string) (ModeChanges, map[rune]bool) {
 	changes := make(ModeChanges, 0)
 	unknown := make(map[rune]bool)
 	op := List
 	if 0 < len(params) {
@ -290,12 +304,26 @@ func ParseChannelModeChanges(params ...string) (changes ModeChanges, unknown []r
 				}
 			}
-			if slices.Contains(SupportedChannelModes, Mode(mode)) || slices.Contains(ChannelUserModes, Mode(mode)) {
+			var isKnown bool
-				changes = append(changes, change)
+			for _, supportedMode := range SupportedChannelModes {
-			} else {
+				if rune(supportedMode) == mode {
-				unknown = append(unknown, mode)
+					isKnown = true
 					break
 				}
 			}
 			for _, supportedMode := range ChannelUserModes {
 				if rune(supportedMode) == mode {
 					isKnown = true
 					break
 				}
 			}
 			if !isKnown {
 				unknown[mode] = true
 				continue
 			}
 			changes = append(changes, change)
 		}
 	}
 	return changes, unknown
@ -400,37 +428,33 @@ func (set *ModeSet) HighestChannelUserMode() (result Mode) {
 	return
 }
-var (
+type ByCodepoint Modes
 	rplMyInfo1, rplMyInfo2, rplMyInfo3, chanmodesToken string
 )
-func init() {
+func (a ByCodepoint) Len() int           { return len(a) }
-	initRplMyInfo()
+func (a ByCodepoint) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
-	initChanmodesToken()
+func (a ByCodepoint) Less(i, j int) bool { return a[i] < a[j] }
 }
-func initRplMyInfo() {
+func RplMyInfo() (param1, param2, param3 string) {
 	// initialize constant strings published in initial numerics
 	userModes := make(Modes, len(SupportedUserModes), len(SupportedUserModes)+1)
 	copy(userModes, SupportedUserModes)
 	// TLS is not in SupportedUserModes because it can't be modified
 	userModes = append(userModes, TLS)
-	slices.Sort(userModes)
+	sort.Sort(ByCodepoint(userModes))
 	channelModes := make(Modes, len(SupportedChannelModes)+len(ChannelUserModes))
 	copy(channelModes, SupportedChannelModes)
 	copy(channelModes[len(SupportedChannelModes):], ChannelUserModes)
-	slices.Sort(channelModes)
+	sort.Sort(ByCodepoint(channelModes))
 	// XXX enumerate these by hand, i can't see any way to DRY this
 	channelParametrizedModes := Modes{BanMask, ExceptMask, InviteMask, Key, UserLimit, Forward}
 	channelParametrizedModes = append(channelParametrizedModes, ChannelUserModes...)
-	slices.Sort(channelParametrizedModes)
+	sort.Sort(ByCodepoint(channelParametrizedModes))
-	rplMyInfo1, rplMyInfo2, rplMyInfo3 = userModes.String(), channelModes.String(), channelParametrizedModes.String()
+	return userModes.String(), channelModes.String(), channelParametrizedModes.String()
 }
-func initChanmodesToken() {
+func ChanmodesToken() (result string) {
 	// https://modern.ircdocs.horse#chanmodes-parameter
 	// type A: listable modes with parameters
 	A := Modes{BanMask, ExceptMask, InviteMask}
@ -441,18 +465,10 @@ func initChanmodesToken() {
 	// type D: modes without parameters
 	D := Modes{InviteOnly, Moderated, NoOutside, OpOnlyTopic, ChanRoleplaying, Secret, NoCTCP, RegisteredOnly, RegisteredOnlySpeak, Auditorium, OpModerated}
-	slices.Sort(A)
+	sort.Sort(ByCodepoint(A))
-	slices.Sort(B)
+	sort.Sort(ByCodepoint(B))
-	slices.Sort(C)
+	sort.Sort(ByCodepoint(C))
-	slices.Sort(D)
+	sort.Sort(ByCodepoint(D))
-	chanmodesToken = fmt.Sprintf("%s,%s,%s,%s", A.String(), B.String(), C.String(), D.String())
+	return fmt.Sprintf("%s,%s,%s,%s", A.String(), B.String(), C.String(), D.String())
 }
 func RplMyInfo() (param1, param2, param3 string) {
 	return rplMyInfo1, rplMyInfo2, rplMyInfo3
 }
 func ChanmodesToken() (result string) {
 	return chanmodesToken
 }
--- a/irc/modes/modes_test.go
+++ b/irc/modes/modes_test.go
@ -5,7 +5,6 @@ package modes
 import (
 	"reflect"
 	"slices"
 	"strings"
 	"testing"
 )
@ -17,7 +16,7 @@ func assertEqual(supplied, expected interface{}, t *testing.T) {
 }
 func TestParseUserModeChanges(t *testing.T) {
-	var emptyUnknown []rune
+	emptyUnknown := make(map[rune]bool)
 	changes, unknown := ParseUserModeChanges("+i")
 	assertEqual(unknown, emptyUnknown, t)
 	assertEqual(changes, ModeChanges{ModeChange{Op: Add, Mode: Invisible}}, t)
@ -49,11 +48,10 @@ func TestParseUserModeChanges(t *testing.T) {
 }
 func TestIssue874(t *testing.T) {
-	var emptyModeChanges ModeChanges
+	emptyUnknown := make(map[rune]bool)
 	var emptyUnknown []rune
 	modes, unknown := ParseChannelModeChanges("+k")
 	assertEqual(unknown, emptyUnknown, t)
-	assertEqual(modes, emptyModeChanges, t)
+	assertEqual(modes, ModeChanges{}, t)
 	modes, unknown = ParseChannelModeChanges("+k", "beer")
 	assertEqual(unknown, emptyUnknown, t)
@ -153,7 +151,7 @@ func TestParseChannelModeChanges(t *testing.T) {
 	}
 	modes, unknown = ParseChannelModeChanges("+tx")
-	if len(unknown) != 1 || !slices.Contains(unknown, 'x') {
+	if len(unknown) != 1 || !unknown['x'] {
 		t.Errorf("expected that x is an unknown mode, instead: %v", unknown)
 	}
 	expected = ModeChange{
--- a/irc/mysql/history.go
+++ b/irc/mysql/history.go
@ -961,7 +961,7 @@ func (mysql *MySQL) listCorrespondentsInternal(ctx context.Context, target strin
 		}
 		results = append(results, history.TargetListing{
 			CfName: correspondent,
-			Time:   time.Unix(0, nanotime).UTC(),
+			Time:   time.Unix(0, nanotime),
 		})
 	}
@ -1014,7 +1014,7 @@ func (mysql *MySQL) ListChannels(cfchannels []string) (results []history.TargetL
 		}
 		results = append(results, history.TargetListing{
 			CfName: target,
-			Time:   time.Unix(0, nanotime).UTC(),
+			Time:   time.Unix(0, nanotime),
 		})
 	}
 	return
--- a/irc/nickserv.go
+++ b/irc/nickserv.go
@ -241,18 +241,6 @@ indicate an empty password, use * instead.`,
 		"password": {
 			aliasOf: "passwd",
 		},
 		"push": {
 			handler: nsPushHandler,
 			help: `Syntax: $bPUSH LIST$b
 Or:     $bPUSH DELETE <endpoint>$b
 PUSH lets you view or modify the state of your push subscriptions.`,
 			helpShort: `$bPUSH$b lets you view or modify your push subscriptions.`,
 			enabled: func(config *Config) bool {
 				return config.WebPush.Enabled
 			},
 			minParams: 1,
 		},
 		"get": {
 			handler: nsGetHandler,
 			help: `Syntax: $bGET <setting>$b
@ -1055,10 +1043,10 @@ func nsSaregisterHandler(service *ircService, server *Server, client *Client, co
 		var failCode string
 		if err == errAccountAlreadyRegistered || err == errAccountAlreadyVerified {
 			errMsg = client.t("Account already exists")
-			failCode = "ACCOUNT_EXISTS"
+			failCode = "USERNAME_EXISTS"
 		} else if err == errNameReserved {
 			errMsg = client.t(err.Error())
-			failCode = "ACCOUNT_EXISTS"
+			failCode = "USERNAME_EXISTS"
 		} else if err == errAccountBadPassphrase {
 			errMsg = client.t("Passphrase contains forbidden characters or is otherwise invalid")
 			failCode = "INVALID_PASSWORD"
@ -1324,9 +1312,6 @@ func nsClientsListHandler(service *ircService, server *Server, client *Client, p
 		if session.deviceID != "" {
 			service.Notice(rb, fmt.Sprintf(client.t("Device ID:   %s"), session.deviceID))
 		}
 		if hasPrivs {
 			service.Notice(rb, fmt.Sprintf(client.t("Debug log ID: %s"), session.connID))
 		}
 		service.Notice(rb, fmt.Sprintf(client.t("IP address:  %s"), session.ip.String()))
 		service.Notice(rb, fmt.Sprintf(client.t("Hostname:    %s"), session.hostname))
 		if hasPrivs {
@ -1671,48 +1656,3 @@ func nsRenameHandler(service *ircService, server *Server, client *Client, comman
 		}
 	}
 }
 func nsPushHandler(service *ircService, server *Server, client *Client, command string, params []string, rb *ResponseBuffer) {
 	switch strings.ToUpper(params[0]) {
 	case "LIST":
 		target := client
 		if len(params) > 1 && client.HasRoleCapabs("accreg") {
 			target = server.clients.Get(params[1])
 			if target == nil {
 				service.Notice(rb, client.t("No such nick"))
 				return
 			}
 		}
 		subscriptions := target.getPushSubscriptions(true)
 		service.Notice(rb, fmt.Sprintf(client.t("Nickname %[1]s has %[2]d push subscription(s)"), target.Nick(), len(subscriptions)))
 		for i, subscription := range subscriptions {
 			service.Notice(rb, fmt.Sprintf(client.t("Subscription %d:"), i+1))
 			service.Notice(rb, fmt.Sprintf(client.t("Endpoint:     %s"), subscription.Endpoint))
 			service.Notice(rb, fmt.Sprintf(client.t("Last renewal: %s"), subscription.LastRefresh.Format(time.RFC1123)))
 			service.Notice(rb, fmt.Sprintf(client.t("Last push:    %s"), subscription.LastSuccess.Format(time.RFC1123)))
 		}
 	case "DELETE":
 		if len(params) < 2 {
 			service.Notice(rb, client.t("Invalid parameters"))
 			return
 		}
 		target := client
 		endpoint := params[1]
 		if len(params) > 2 && client.HasRoleCapabs("accreg") {
 			target = server.clients.Get(params[1])
 			if target == nil {
 				service.Notice(rb, client.t("No such nick"))
 				return
 			}
 			endpoint = params[2]
 		}
 		changed := target.deletePushSubscription(endpoint, true)
 		if changed {
 			service.Notice(rb, client.t("Successfully deleted push subscription"))
 		} else {
 			service.Notice(rb, client.t("Push subscription not found"))
 		}
 	default:
 		service.Notice(rb, client.t("Invalid parameters"))
 	}
 }
--- a/irc/numerics.go
+++ b/irc/numerics.go
@ -183,12 +183,6 @@ const (
 	RPL_MONLIST            = "732"
 	RPL_ENDOFMONLIST       = "733"
 	ERR_MONLISTFULL        = "734"
 	RPL_KEYVALUE           = "761" // metadata numerics
 	RPL_KEYNOTSET          = "766"
 	RPL_METADATASUBOK      = "770"
 	RPL_METADATAUNSUBOK    = "771"
 	RPL_METADATASUBS       = "772"
 	RPL_METADATASYNCLATER  = "774"
 	RPL_LOGGEDIN           = "900"
 	RPL_LOGGEDOUT          = "901"
 	ERR_NICKLOCKED         = "902"
--- a/irc/panic.go
+++ b/irc/panic.go
@ -6,19 +6,14 @@ package irc
 import (
 	"fmt"
 	"runtime/debug"
 	"time"
 )
 // HandlePanic is a general-purpose panic handler for ad-hoc goroutines.
 // Because of the semantics of `recover`, it must be called directly
 // from the routine on whose call stack the panic would occur, with `defer`,
 // e.g. `defer server.HandlePanic()`
-func (server *Server) HandlePanic(restartable func()) {
+func (server *Server) HandlePanic() {
 	if r := recover(); r != nil {
 		server.logger.Error("internal", fmt.Sprintf("Panic encountered: %v\n%s", r, debug.Stack()))
 		if restartable != nil {
 			time.Sleep(time.Second)
 			go restartable()
 		}
 	}
 }
--- a/irc/passwd/bcrypt.go
+++ b/irc/passwd/bcrypt.go
@ -3,11 +3,8 @@
 package passwd
-import (
+import "golang.org/x/crypto/bcrypt"
-	"crypto/sha3"
+import "golang.org/x/crypto/sha3"
 	"golang.org/x/crypto/bcrypt"
 )
 const (
 	MinCost     = bcrypt.MinCost
--- a/irc/roleplay.go
+++ b/irc/roleplay.go
@ -13,8 +13,8 @@ import (
 )
 const (
-	defaultNPCNickMask   = "*%s*!%s@npc.fakeuser.invalid"
+	npcNickMask   = "*%s*!%s@npc.fakeuser.invalid"
-	defaultSceneNickMask = "=Scene=!%s@npc.fakeuser.invalid"
+	sceneNickMask = "=Scene=!%s@npc.fakeuser.invalid"
 )
 func sendRoleplayMessage(server *Server, client *Client, source string, targetString string, isScene, isAction bool, messageParts []string, rb *ResponseBuffer) {
@ -30,7 +30,7 @@ func sendRoleplayMessage(server *Server, client *Client, source string, targetSt
 	var sourceMask string
 	if isScene {
-		sourceMask = fmt.Sprintf(server.Config().Roleplay.SceneNickMask, client.Nick())
+		sourceMask = fmt.Sprintf(sceneNickMask, client.Nick())
 	} else {
 		cfSource, cfSourceErr := CasefoldName(source)
 		skelSource, skelErr := Skeleton(source)
@ -39,7 +39,7 @@ func sendRoleplayMessage(server *Server, client *Client, source string, targetSt
 			rb.Add(nil, client.server.name, ERR_CANNOTSENDRP, targetString, client.t("Invalid roleplay name"))
 			return
 		}
-		sourceMask = fmt.Sprintf(server.Config().Roleplay.NPCNickMask, source, client.Nick())
+		sourceMask = fmt.Sprintf(npcNickMask, source, client.Nick())
 	}
 	// block attempts to send CTCP messages to Tor clients
--- a/irc/server.go
+++ b/irc/server.go
@ -36,16 +36,26 @@ import (
 	"github.com/ergochat/ergo/irc/mysql"
 	"github.com/ergochat/ergo/irc/sno"
 	"github.com/ergochat/ergo/irc/utils"
 	"github.com/ergochat/ergo/irc/webpush"
 )
 const (
 	alwaysOnMaintenanceInterval = 30 * time.Minute
-	pushMaintenanceInterval     = 24 * time.Hour
+)
 var (
 	// common error line to sub values into
 	errorMsg = "ERROR :%s\r\n"
 	// three final parameters of 004 RPL_MYINFO, enumerating our supported modes
 	rplMyInfo1, rplMyInfo2, rplMyInfo3 = modes.RplMyInfo()
 	// CHANMODES isupport token
 	chanmodesToken = modes.ChanmodesToken()
 	// whitelist of caps to serve on the STS-only listener. In particular,
 	// never advertise SASL, to discourage people from sending their passwords:
 	stsOnlyCaps = caps.NewSet(caps.STS, caps.MessageTags, caps.ServerTime, caps.Batch, caps.LabeledResponse, caps.EchoMessage, caps.Nope)
 	// we only have standard channels for now. TODO: any updates to this
 	// will also need to be reflected in CasefoldChannel
 	chanTypes = "#"
@ -53,17 +63,6 @@ const (
 	throttleMessage = "You have attempted to connect too many times within a short duration. Wait a while, and you will be able to connect."
 )
 var (
 	// whitelist of caps to serve on the STS-only listener. In particular,
 	// never advertise SASL, to discourage people from sending their passwords:
 	stsOnlyCaps = caps.NewSet(caps.STS, caps.MessageTags, caps.ServerTime, caps.Batch, caps.LabeledResponse, caps.EchoMessage, caps.Nope)
 	httpVerbs = utils.SetLiteral("CONNECT", "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT", "TRACE")
 	unixEpoch       = time.Unix(0, 0).UTC()
 	year2262Problem = time.Unix(0, 1<<63-1).UTC() // this is the maximum time for which (*time.Time).UnixNano() is well-defined
 )
 // Server is the main Oragono server.
 type Server struct {
 	accepts           AcceptManager
@ -96,13 +95,7 @@ type Server struct {
 	stats             Stats
 	semaphores        ServerSemaphores
 	flock             flock.Flocker
 	connIDCounter     atomic.Uint64
 	defcon            atomic.Uint32
 	// API stuff
 	apiHandler  http.Handler // always initialized
 	apiListener *utils.ReloadableListener
 	apiServer   *http.Server // nil if API is not enabled
 }
 // NewServer returns a new Oragono server.
@ -129,8 +122,6 @@ func NewServer(config *Config, logger *logger.Manager) (*Server, error) {
 	server.monitorManager.Initialize()
 	server.snomasks.Initialize()
 	server.apiHandler = newAPIHandler(server)
 	if err := server.applyConfig(config); err != nil {
 		return nil, err
 	}
@ -143,7 +134,6 @@ func NewServer(config *Config, logger *logger.Manager) (*Server, error) {
 	}
 	time.AfterFunc(alwaysOnMaintenanceInterval, server.periodicAlwaysOnMaintenance)
 	time.AfterFunc(pushMaintenanceInterval, server.periodicPushMaintenance)
 	return server, nil
 }
@ -276,7 +266,7 @@ func (server *Server) periodicAlwaysOnMaintenance() {
 		time.AfterFunc(alwaysOnMaintenanceInterval, server.periodicAlwaysOnMaintenance)
 	}()
-	defer server.HandlePanic(nil)
+	defer server.HandlePanic()
 	server.logger.Info("accounts", "Performing periodic always-on client checks")
 	server.performAlwaysOnMaintenance(true, true)
@ -300,47 +290,6 @@ func (server *Server) performAlwaysOnMaintenance(checkExpiration, flushTimestamp
 	}
 }
 func (server *Server) periodicPushMaintenance() {
 	defer func() {
 		// reschedule whether or not there was a panic
 		time.AfterFunc(pushMaintenanceInterval, server.periodicPushMaintenance)
 	}()
 	defer server.HandlePanic(nil)
 	if server.Config().WebPush.Enabled {
 		server.logger.Info("webpush", "Performing periodic push subscription maintenance")
 		server.performPushMaintenance()
 	} // else: reschedule and check again later, the operator may enable it via rehash
 }
 func (server *Server) performPushMaintenance() {
 	expiration := time.Duration(server.Config().WebPush.Expiration)
 	for _, client := range server.clients.AllWithPushSubscriptions() {
 		for _, sub := range client.getPushSubscriptions(true) {
 			now := time.Now()
 			// require both periodic successful push messages and renewal of the subscription via WEBPUSH REGISTER
 			if now.Sub(sub.LastSuccess) > expiration || now.Sub(sub.LastRefresh) > expiration {
 				server.logger.Debug("webpush", "expiring push subscription for client", client.Nick(), sub.Endpoint)
 				client.deletePushSubscription(sub.Endpoint, false)
 			} else if now.Sub(sub.LastSuccess) > expiration/2 {
 				// we haven't pushed to them recently, make an attempt
 				server.logger.Debug("webpush", "pinging push subscription for client", client.Nick(), sub.Endpoint)
 				client.sendAndTrackPush(
 					sub.Endpoint, sub.Keys,
 					pushMessage{
 						msg:     webpush.PingMessage,
 						urgency: webpush.UrgencyNormal,
 					},
 					false,
 				)
 			}
 		}
 		// persist all push subscriptions on the assumption that the timestamps have changed
 		client.Store(IncludePushSubscriptions)
 	}
 }
 // handles server.ip-check-script.exempt-sasl:
 // run the ip check script at the end of the handshake, only for anonymous connections
 func (server *Server) checkBanScriptExemptSASL(config *Config, session *Session) (outcome AuthOutcome) {
@ -353,7 +302,7 @@ func (server *Server) checkBanScriptExemptSASL(config *Config, session *Session)
 		return authSuccess
 	}
 	if output.Result == IPBanned || output.Result == IPRequireSASL {
-		server.logger.Info("connect-ip", session.connID, "Rejecting unauthenticated client due to ip-check-script", ipaddr.String())
+		server.logger.Info("connect-ip", "Rejecting unauthenticated client due to ip-check-script", ipaddr.String())
 		if output.BanMessage != "" {
 			session.client.requireSASLMessage = output.BanMessage
 		}
@ -428,25 +377,16 @@ func (server *Server) tryRegister(c *Client, session *Session) (exiting bool) {
 		c.SetMode(defaultMode, true)
 	}
 	c.applyPreregMetadata(session)
 	// this is not a reattach, so if the client is always-on, this is the first time
 	// the Client object was created during the current server uptime. mark dirty in
 	// order to persist the realname and the user modes:
 	if c.AlwaysOn() {
 		c.markDirty(IncludeAllAttrs)
 	}
 	// count new user in statistics (before checking KLINEs, see #1303)
 	server.stats.Register(c.HasMode(modes.Invisible))
 	// check KLINEs (#671: ignore KLINEs for loopback connections)
 	if !session.IP().IsLoopback() || session.isTor {
 		isBanned, info := server.klines.CheckMasks(c.AllNickmasks()...)
-		if isBanned && !(info.RequireSASL && session.client.Account() != "") {
+		if isBanned {
 			c.setKlined()
 			c.Quit(info.BanMessage(c.t("You are banned from this server (%s)")), nil)
-			server.logger.Info("connect", session.connID, "Client rejected by k-line", c.NickMaskString())
+			server.logger.Info("connect", "Client rejected by k-line", c.NickMaskString())
 			return true
 		}
 	}
@ -478,7 +418,7 @@ func (server *Server) playRegistrationBurst(session *Session) {
 	c := session.client
 	// continue registration
 	d := c.Details()
-	server.logger.Info("connect", session.connID, fmt.Sprintf("Client connected [%s] [u:%s] [r:%s]", d.nick, d.username, d.realname))
+	server.logger.Info("connect", fmt.Sprintf("Client connected [%s] [u:%s] [r:%s]", d.nick, d.username, d.realname))
 	server.snomasks.Send(sno.LocalConnects, fmt.Sprintf("Client connected [%s] [u:%s] [h:%s] [ip:%s] [r:%s]", d.nick, d.username, session.rawHostname, session.IP().String(), d.realname))
 	if d.account != "" {
 		server.sendLoginSnomask(d.nickMask, d.accountName)
@ -491,16 +431,10 @@ func (server *Server) playRegistrationBurst(session *Session) {
 	session.Send(nil, server.name, RPL_WELCOME, d.nick, fmt.Sprintf(c.t("Welcome to the %s IRC Network %s"), config.Network.Name, d.nick))
 	session.Send(nil, server.name, RPL_YOURHOST, d.nick, fmt.Sprintf(c.t("Your host is %[1]s, running version %[2]s"), server.name, Ver))
 	session.Send(nil, server.name, RPL_CREATED, d.nick, fmt.Sprintf(c.t("This server was created %s"), server.ctime.Format(time.RFC1123)))
 	rplMyInfo1, rplMyInfo2, rplMyInfo3 := modes.RplMyInfo()
 	session.Send(nil, server.name, RPL_MYINFO, d.nick, server.name, Ver, rplMyInfo1, rplMyInfo2, rplMyInfo3)
 	rb := NewResponseBuffer(session)
 	if !(rb.session.capabilities.Has(caps.ExtendedISupport) && rb.session.isupportSentPrereg) {
 	server.RplISupport(c, rb)
 	}
 	if session.capabilities.Has(caps.Metadata) {
 		playMetadataVerbBatch(rb, d.nick, c.ListMetadata())
 	}
 	if d.account != "" && session.capabilities.Has(caps.Persistence) {
 		reportPersistenceStatus(c, rb, false)
 	}
@ -522,22 +456,15 @@ func (server *Server) playRegistrationBurst(session *Session) {
 // RplISupport outputs our ISUPPORT lines to the client. This is used on connection and in VERSION responses.
 func (server *Server) RplISupport(client *Client, rb *ResponseBuffer) {
-	server.sendRplISupportLines(client, rb, server.Config().Server.isupport.CachedReply)
+	translatedISupport := client.t("are supported by this server")
 }
 func (server *Server) sendRplISupportLines(client *Client, rb *ResponseBuffer, lines [][]string) {
 	if rb.session.capabilities.Has(caps.ExtendedISupport) {
 		batchID := rb.StartNestedBatch(caps.ExtendedISupportBatchType)
 		defer rb.EndNestedBatch(batchID)
 	}
 	finalText := "are supported by this server"
 	nick := client.Nick()
-	for _, cachedTokenLine := range lines {
+	config := server.Config()
 	for _, cachedTokenLine := range config.Server.isupport.CachedReply {
 		length := len(cachedTokenLine) + 2
 		tokenline := make([]string, length)
 		tokenline[0] = nick
 		copy(tokenline[1:], cachedTokenLine)
-		tokenline[length-1] = finalText
+		tokenline[length-1] = translatedISupport
 		rb.Add(nil, server.name, RPL_ISUPPORT, tokenline...)
 	}
 }
@ -652,7 +579,7 @@ func (client *Client) getWhoisOf(target *Client, hasPrivs bool, rb *ResponseBuff
 // rehash reloads the config and applies the changes from the config file.
 func (server *Server) rehash() error {
 	// #1570; this needs its own panic handling because it can be invoked via SIGHUP
-	defer server.HandlePanic(nil)
+	defer server.HandlePanic()
 	server.logger.Info("server", "Attempting rehash")
@ -806,16 +733,6 @@ func (server *Server) applyConfig(config *Config) (err error) {
 		return fmt.Errorf("Could not load cloak secret: %w", err)
 	}
 	config.Server.Cloaks.SetSecret(cloakSecret)
 	// similarly bring the VAPID keys into the config, which requires regenerating the 005
 	if config.WebPush.Enabled {
 		config.WebPush.vapidKeys, err = LoadVAPIDKeys(server.dstore)
 		if err != nil {
 			return fmt.Errorf("Could not load VAPID keys: %w", err)
 		}
 		if err = config.generateISupport(); err != nil {
 			return fmt.Errorf("Could not regenerate cached 005 for VAPID: %w", err)
 		}
 	}
 	// activate the new config
 	server.config.Store(config)
@ -858,8 +775,6 @@ func (server *Server) applyConfig(config *Config) (err error) {
 	server.setupPprofListener(config)
 	server.setupAPIListener(config)
 	// set RPL_ISUPPORT
 	var newISupportReplies [][]string
 	if oldConfig != nil {
@ -879,19 +794,13 @@ func (server *Server) applyConfig(config *Config) (err error) {
 	}
 	if !initial {
-		// send 005 updates (somewhat rare)
+		// push new info to all of our clients
 		if len(newISupportReplies) != 0 {
 		for _, sClient := range server.clients.AllClients() {
-				for _, session := range sClient.Sessions() {
+			for _, tokenline := range newISupportReplies {
-					rb := NewResponseBuffer(session)
+				sClient.Send(nil, server.name, RPL_ISUPPORT, append([]string{sClient.nick}, tokenline...)...)
 					server.sendRplISupportLines(sClient, rb, newISupportReplies)
 					rb.Send(false)
 				}
 			}
 			}
 			if sendRawOutputNotice {
 			for _, sClient := range server.clients.AllClients() {
 				sClient.Notice(sClient.t("This server is in debug mode and is logging all user I/O. If you do not wish for everything you send to be readable by the server owner(s), please disconnect."))
 			}
 		}
@ -928,46 +837,6 @@ func (server *Server) setupPprofListener(config *Config) {
 	}
 }
 func (server *Server) setupAPIListener(config *Config) {
 	if server.apiServer != nil {
 		if !config.API.Enabled || (config.API.Listener != server.apiServer.Addr) {
 			server.logger.Info("server", "Stopping API listener", server.apiServer.Addr)
 			server.apiServer.Close()
 			server.apiListener = nil
 			server.apiServer = nil
 		}
 	}
 	if !config.API.Enabled {
 		return
 	}
 	listenerConfig := utils.ListenerConfig{
 		TLSConfig: config.API.tlsConfig,
 	}
 	if server.apiListener != nil {
 		server.apiListener.Reload(listenerConfig)
 		return
 	}
 	listener, err := net.Listen("tcp", config.API.Listener)
 	if err != nil {
 		server.logger.Error("server", "Couldn't create API listener", config.API.Listener, err.Error())
 		return
 	}
 	server.apiListener = utils.NewReloadableListener(listener, listenerConfig)
 	server.apiServer = &http.Server{
 		Addr:           config.API.Listener, // just informational since we created the listener ourselves
 		Handler:        server.apiHandler,
 		ReadTimeout:    10 * time.Second,
 		WriteTimeout:   10 * time.Second,
 		MaxHeaderBytes: 16384,
 	}
 	go func(hs *http.Server, listener net.Listener) {
 		if err := hs.Serve(listener); err != nil {
 			server.logger.Error("server", "API listener failed", err.Error())
 		}
 	}(server.apiServer, server.apiListener)
 	server.logger.Info("server", "Started API listener", server.apiServer.Addr)
 }
 func (server *Server) loadDatastore(config *Config) error {
 	// open the datastore and load server state for which it (rather than config)
 	// is the source of truth
@ -1240,16 +1109,6 @@ func (server *Server) UnfoldName(cfname string) (name string) {
 	return server.clients.UnfoldNick(cfname)
 }
 // generateConnectionID generates a unique string identifier for an incoming connection.
 // this identifier is only used for debug logging.
 func (server *Server) generateConnectionID() string {
 	id := server.connIDCounter.Add(1)
 	// pad with leading zeroes to a minimum length of 5 hex digits. this enhances greppability;
 	// the identifier length will be 6 for the first 1048576 connections, which is less important
 	// but makes the log slightly easier to read
 	return fmt.Sprintf("s%05x", id)
 }
 // elistMatcher takes and matches ELIST conditions
 type elistMatcher struct {
 	MinClientsActive bool
--- a/irc/services.go
+++ b/irc/services.go
@ -7,7 +7,7 @@ import (
 	"bytes"
 	"fmt"
 	"log"
-	"slices"
+	"sort"
 	"strings"
 	"time"
@ -223,6 +223,7 @@ func serviceRunCommand(service *ircService, server *Server, client *Client, cmd
 		return
 	}
 	server.logger.Debug("services", fmt.Sprintf("Client %s ran %s command %s", client.Nick(), service.Name, commandName))
 	if commandName == "help" {
 		serviceHelpHandler(service, server, client, params, rb)
 	} else {
@ -250,7 +251,7 @@ func serviceHelpHandler(service *ircService, server *Server, client *Client, par
 			client.t("Here are the commands you can use:"),
 		}...)
 		// show general help
-		var shownHelpLines []string
+		var shownHelpLines sort.StringSlice
 		var disabledCommands bool
 		for _, commandInfo := range service.Commands {
 			// skip commands user can't access
@ -268,13 +269,13 @@ func serviceHelpHandler(service *ircService, server *Server, client *Client, par
 			shownHelpLines = append(shownHelpLines, "    "+ircfmt.Unescape(client.t(commandInfo.helpShort)))
 		}
 		// sort help lines
 		slices.Sort(shownHelpLines)
 		if disabledCommands {
 			shownHelpLines = append(shownHelpLines, "    "+client.t("... and other commands which have been disabled"))
 		}
 		// sort help lines
 		sort.Sort(shownHelpLines)
 		// push out help text
 		for _, line := range helpBannerLines {
 			sendNotice(line)
--- a/irc/smtp/smtp.go
+++ b/irc/smtp/smtp.go
@ -233,7 +233,7 @@ func (c *Client) Auth(a Auth) error {
 	}
 	resp64 := make([]byte, encoding.EncodedLen(len(resp)))
 	encoding.Encode(resp64, resp)
-	code, msg64, err := c.cmd(0, "%s", strings.TrimSpace(fmt.Sprintf("AUTH %s %s", mech, resp64)))
+	code, msg64, err := c.cmd(0, strings.TrimSpace(fmt.Sprintf("AUTH %s %s", mech, resp64)))
 	for err == nil {
 		var msg []byte
 		switch code {
@ -259,7 +259,7 @@ func (c *Client) Auth(a Auth) error {
 		}
 		resp64 = make([]byte, encoding.EncodedLen(len(resp)))
 		encoding.Encode(resp64, resp)
-		code, msg64, err = c.cmd(0, "%s", resp64)
+		code, msg64, err = c.cmd(0, string(resp64))
 	}
 	return err
 }
--- a/irc/strings.go
+++ b/irc/strings.go
@ -73,7 +73,7 @@ var globalCasemappingSetting Casemapping = CasemappingPRECIS
 // XXX analogous unsynchronized global variable controlling utf8 validation
 // if this is off, you get the traditional IRC behavior (relaying any valid RFC1459
-// octets), and websocket listeners are disabled.
+// octets) and invalid utf8 messages are silently dropped for websocket clients only.
 // if this is on, invalid utf8 inputs get a FAIL reply.
 var globalUtf8EnforcementSetting bool
--- a/irc/uban.go
+++ b/irc/uban.go
@ -163,7 +163,7 @@ func ubanAddHandler(client *Client, target ubanTarget, params []string, rb *Resp
 	case ubanCIDR:
 		err = ubanAddCIDR(client, target, duration, requireSASL, operReason, rb)
 	case ubanNickmask:
-		err = ubanAddNickmask(client, target, duration, requireSASL, operReason, rb)
+		err = ubanAddNickmask(client, target, duration, operReason, rb)
 	case ubanNick:
 		err = ubanAddAccount(client, target, duration, operReason, rb)
 	}
@ -242,8 +242,8 @@ func ubanAddCIDR(client *Client, target ubanTarget, duration time.Duration, requ
 	return
 }
-func ubanAddNickmask(client *Client, target ubanTarget, duration time.Duration, requireSASL bool, operReason string, rb *ResponseBuffer) (err error) {
+func ubanAddNickmask(client *Client, target ubanTarget, duration time.Duration, operReason string, rb *ResponseBuffer) (err error) {
-	err = client.server.klines.AddMask(target.nickOrMask, duration, requireSASL, "", operReason, client.Oper().Name)
+	err = client.server.klines.AddMask(target.nickOrMask, duration, "", operReason, client.Oper().Name)
 	if err == nil {
 		rb.Notice(fmt.Sprintf(client.t("Successfully added UBAN for %s"), target.nickOrMask))
 	} else {
@ -455,7 +455,7 @@ func ubanInfoNick(client *Client, target ubanTarget, rb *ResponseBuffer) {
 			rb.Notice(client.t("Warning: banning this IP or a network that contains it may affect other users. Use /UBAN INFO on the candidate IP or network for more information."))
 		}
 	} else {
-		rb.Notice(client.t("No client is currently using that nickname"))
+		rb.Notice(fmt.Sprintf(client.t("No client is currently using that nickname")))
 	}
 	account, err := client.server.accounts.LoadAccount(target.nickOrMask)
--- a/irc/utils/chunks.go
+++ b/irc/utils/chunks.go
@ -1,28 +0,0 @@
 package utils
 import "iter"
 func ChunkifyParams(params iter.Seq[string], maxChars int) [][]string {
 	var chunked [][]string
 	var acc []string
 	var length = 0
 	for p := range params {
 		length = length + len(p) + 1 // (accounting for the space)
 		if length > maxChars {
 			chunked = append(chunked, acc)
 			acc = []string{}
 			length = 0
 		}
 		acc = append(acc, p)
 	}
 	if len(acc) != 0 {
 		chunked = append(chunked, acc)
 	}
 	return chunked
 }
--- a/irc/utils/sync.go
+++ b/irc/utils/sync.go
@ -0,0 +1,35 @@
 // Copyright 2009 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package utils
 import (
 	"sync"
 	"sync/atomic"
 )
 // Once is a fork of sync.Once to expose a Done() method.
 type Once struct {
 	done uint32
 	m    sync.Mutex
 }
 func (o *Once) Do(f func()) {
 	if atomic.LoadUint32(&o.done) == 0 {
 		o.doSlow(f)
 	}
 }
 func (o *Once) doSlow(f func()) {
 	o.m.Lock()
 	defer o.m.Unlock()
 	if o.done == 0 {
 		defer atomic.StoreUint32(&o.done, 1)
 		f()
 	}
 }
 func (o *Once) Done() bool {
 	return atomic.LoadUint32(&o.done) == 1
 }
--- a/irc/utils/text.go
+++ b/irc/utils/text.go
@ -95,20 +95,6 @@ func (sm *SplitMessage) Is512() bool {
 	return sm.Split == nil
 }
 func (sm *SplitMessage) CombinedValue() string {
 	if sm.Split == nil {
 		return sm.Message
 	}
 	var buf strings.Builder
 	for i := range sm.Split {
 		if i != 0 && !sm.Split[i].Concat {
 			buf.WriteRune('\n')
 		}
 		buf.WriteString(sm.Split[i].Message)
 	}
 	return buf.String()
 }
 // TokenLineBuilder is a helper for building IRC lines composed of delimited tokens,
 // with a maximum line length.
 type TokenLineBuilder struct {
--- a/irc/utils/text_test.go
+++ b/irc/utils/text_test.go
@ -66,15 +66,3 @@ func BenchmarkTokenLines(b *testing.B) {
 		tl.Lines()
 	}
 }
 func TestCombinedValue(t *testing.T) {
 	var split = SplitMessage{
 		Split: []MessagePair{
 			{"hi", false},
 			{"hi", false},
 			{" again", true},
 			{"you", false},
 		},
 	}
 	assertEqual(split.CombinedValue(), "hi\nhi again\nyou", t)
 }
--- a/irc/utils/time.go
+++ b/irc/utils/time.go
@ -1,15 +0,0 @@
 package utils
 import (
 	"time"
 )
 // ReadMarkerLessThanOrEqual compares times from the standpoint of
 // draft/read-marker (the presentation format of which truncates the time
 // to the millisecond). In future we might want to consider proactively rounding,
 // instead of truncating, the time, but this has complex implications.
 func ReadMarkerLessThanOrEqual(t1, t2 time.Time) bool {
 	t1 = t1.Truncate(time.Millisecond)
 	t2 = t2.Truncate(time.Millisecond)
 	return t1.Before(t2) || t1.Equal(t2)
 }
--- a/irc/version.go
+++ b/irc/version.go
@ -7,7 +7,7 @@ import "fmt"
 const (
 	// SemVer is the semantic version of Ergo.
-	SemVer = "2.17.0-unreleased"
+	SemVer = "2.14.0-rc1"
 )
 var (
--- a/irc/webpush/highlight.go
+++ b/irc/webpush/highlight.go
@ -1,60 +0,0 @@
 // Copyright (c) 2021-2024 Simon Ser <contact@emersion.fr>
 // Originally released under the AGPLv3, relicensed to the Ergo project under the MIT license
 package webpush
 import (
 	"strings"
 	"unicode"
 	"unicode/utf8"
 )
 func isWordBoundary(r rune) bool {
 	switch r {
 	case '-', '_', '|': // inspired from weechat.look.highlight_regex
 		return false
 	default:
 		return !unicode.IsLetter(r) && !unicode.IsNumber(r)
 	}
 }
 func isURIPrefix(text string) bool {
 	if i := strings.LastIndexFunc(text, unicode.IsSpace); i >= 0 {
 		text = text[i:]
 	}
 	i := strings.Index(text, "://")
 	if i < 0 {
 		return false
 	}
 	// See RFC 3986 section 3
 	r, _ := utf8.DecodeLastRuneInString(text[:i])
 	switch r {
 	case '+', '-', '.':
 		return true
 	default:
 		return ('0' <= r && r <= '9') || ('a' <= r && r <= 'z') || ('A' <= r && r <= 'Z')
 	}
 }
 func IsHighlight(text, nick string) bool {
 	if len(nick) == 0 {
 		return false
 	}
 	for {
 		i := strings.Index(text, nick)
 		if i < 0 {
 			return false
 		}
 		left, _ := utf8.DecodeLastRuneInString(text[:i])
 		right, _ := utf8.DecodeRuneInString(text[i+len(nick):])
 		if isWordBoundary(left) && isWordBoundary(right) && !isURIPrefix(text[:i]) {
 			return true
 		}
 		text = text[i+len(nick):]
 	}
 }
--- a/irc/webpush/security.go
+++ b/irc/webpush/security.go
@ -1,66 +0,0 @@
 // Copyright (c) 2024 Shivaram Lingamneni <slingamn@cs.stanford.edu>
 // Released under the MIT license
 // Some portions of this code are:
 // Copyright (c) 2024 Simon Ser <contact@emersion.fr>
 // Originally released under the AGPLv3, relicensed to the Ergo project under the MIT license
 package webpush
 import (
 	"errors"
 	"fmt"
 	"net"
 	"net/http"
 	"net/netip"
 	"net/url"
 	"syscall"
 )
 var (
 	errInternalIP = errors.New("dialing an internal IP is forbidden")
 )
 func SanityCheckWebPushEndpoint(endpoint string) error {
 	u, err := url.Parse(endpoint)
 	if err != nil {
 		return err
 	}
 	if u.Scheme != "https" {
 		return fmt.Errorf("scheme must be HTTPS")
 	}
 	return nil
 }
 // makeExternalOnlyClient builds an http.Client that can only connect
 // to external IP addresses.
 func makeExternalOnlyClient() *http.Client {
 	dialer := &net.Dialer{
 		Control: func(network, address string, c syscall.RawConn) error {
 			ip, _, err := net.SplitHostPort(address)
 			if err != nil {
 				return err
 			}
 			parsedIP, err := netip.ParseAddr(ip)
 			if err != nil {
 				return err
 			}
 			if isInternalIP(parsedIP) {
 				return errInternalIP
 			}
 			return nil
 		},
 	}
 	return &http.Client{
 		Transport: &http.Transport{
 			DialContext: dialer.DialContext,
 		},
 	}
 }
 func isInternalIP(ip netip.Addr) bool {
 	return ip.IsLoopback() || ip.IsMulticast() || ip.IsPrivate()
 }
--- a/irc/webpush/security_test.go
+++ b/irc/webpush/security_test.go
@ -1,21 +0,0 @@
 package webpush
 import (
 	"errors"
 	"testing"
 )
 func TestExternalOnlyHTTPClient(t *testing.T) {
 	client := makeExternalOnlyClient()
 	for _, url := range []string{
 		"https://127.0.0.2/test",
 		"https://127.0.0.2:8201",
 		"https://127.0.0.2:8201/asdf",
 	} {
 		_, err := client.Get(url)
 		if err == nil || !errors.Is(err, errInternalIP) {
 			t.Errorf("%s was not forbidden as expected (got %v)", url, err)
 		}
 	}
 }
--- a/irc/webpush/webpush.go
+++ b/irc/webpush/webpush.go
@ -1,148 +0,0 @@
 // Copyright (c) 2024 Shivaram Lingamneni <slingamn@cs.stanford.edu>
 // Released under the MIT license
 // Some portions of this code are:
 // Copyright (c) 2021-2024 Simon Ser <contact@emersion.fr>
 // Originally released under the AGPLv3, relicensed to the Ergo project under the MIT license
 package webpush
 import (
 	"context"
 	"errors"
 	"fmt"
 	"net/http"
 	"time"
 	"github.com/ergochat/irc-go/ircmsg"
 	webpush "github.com/ergochat/webpush-go/v2"
 	"github.com/ergochat/ergo/irc/utils"
 )
 // alias some public types and names from webpush-go
 type VAPIDKeys = webpush.VAPIDKeys
 type Keys = webpush.Keys
 var (
 	GenerateVAPIDKeys = webpush.GenerateVAPIDKeys
 )
 // Urgency is a uint8 representation of urgency to save a few
 // bytes on channel sizes.
 type Urgency uint8
 const (
 	// UrgencyVeryLow requires device state: on power and Wi-Fi
 	UrgencyVeryLow Urgency = iota // "very-low"
 	// UrgencyLow requires device state: on either power or Wi-Fi
 	UrgencyLow // "low"
 	// UrgencyNormal excludes device state: low battery
 	UrgencyNormal // "normal"
 	// UrgencyHigh admits device state: low battery
 	UrgencyHigh // "high"
 )
 var (
 	// PingMessage is a valid IRC message that we can send to test that the subscription
 	// is valid (i.e. responds to POSTs with a 20x). We do not expect that the client will
 	// actually connect to IRC and send PONG (although it might be nice to have a way to
 	// hint to a client that they should reconnect to renew their subscription?)
 	PingMessage = []byte("PING webpush")
 )
 func convertUrgency(u Urgency) webpush.Urgency {
 	switch u {
 	case UrgencyVeryLow:
 		return webpush.UrgencyVeryLow
 	case UrgencyLow:
 		return webpush.UrgencyLow
 	case UrgencyNormal:
 		return webpush.UrgencyNormal
 	case UrgencyHigh:
 		return webpush.UrgencyHigh
 	default:
 		return webpush.UrgencyNormal // shouldn't happen
 	}
 }
 var httpClient webpush.HTTPClient = makeExternalOnlyClient()
 var (
 	Err404 = errors.New("endpoint returned a 404, indicating that the push subscription is no longer valid")
 	errInvalidKey = errors.New("invalid key format")
 )
 func DecodeSubscriptionKeys(keysParam string) (keys webpush.Keys, err error) {
 	// The keys parameter is tag-encoded, with each tag value being URL-safe base64 encoded:
 	// * One public key with the name p256dh set to the client's P-256 ECDH public key.
 	// * One shared key with the name auth set to a 16-byte client-generated authentication secret.
 	// since we don't have a separate tag parser implementation, wrap it in a fake IRC line for parsing:
 	fakeIRCLine := fmt.Sprintf("@%s PING", keysParam)
 	ircMsg, err := ircmsg.ParseLine(fakeIRCLine)
 	if err != nil {
 		return
 	}
 	_, auth := ircMsg.GetTag("auth")
 	_, p256 := ircMsg.GetTag("p256dh")
 	return webpush.DecodeSubscriptionKeys(auth, p256)
 }
 // MakePushMessage serializes a utils.SplitMessage as a web push message (the args are in
 // logical order)
 func MakePushMessage(command, nuh, accountName, target string, msg utils.SplitMessage) ([]byte, error) {
 	var messageForPush string
 	if msg.Is512() {
 		messageForPush = msg.Message
 	} else {
 		messageForPush = msg.Split[0].Message
 	}
 	return MakePushLine(msg.Time, accountName, nuh, command, target, messageForPush)
 }
 // MakePushLine serializes an arbitrary IRC line as a web push message (the args are in
 // IRC syntax order)
 func MakePushLine(time time.Time, accountName, source, command string, params ...string) ([]byte, error) {
 	pushMessage := ircmsg.MakeMessage(nil, source, command, params...)
 	pushMessage.SetTag("time", time.Format(utils.IRCv3TimestampFormat))
 	// "*" is canonical for the unset form of the unfolded account name, but check both:
 	if accountName != "*" && accountName != "" {
 		pushMessage.SetTag("account", accountName)
 	}
 	if line, err := pushMessage.LineBytesStrict(false, 512); err == nil {
 		// strip final \r\n
 		return line[:len(line)-2], nil
 	} else {
 		return nil, err
 	}
 }
 func SendWebPush(ctx context.Context, endpoint string, keys Keys, vapidKeys *VAPIDKeys, urgency Urgency, subscriber string, msg []byte) error {
 	wpsub := webpush.Subscription{
 		Endpoint: endpoint,
 		Keys:     keys,
 	}
 	options := webpush.Options{
 		HTTPClient: httpClient,
 		VAPIDKeys:  vapidKeys,
 		Subscriber: subscriber,
 		TTL:        7 * 24 * 60 * 60, // seconds
 		Urgency:    convertUrgency(urgency),
 		RecordSize: 2048,
 	}
 	resp, err := webpush.SendNotification(ctx, msg, &wpsub, &options)
 	if err != nil {
 		return err
 	}
 	resp.Body.Close()
 	if resp.StatusCode == http.StatusNotFound {
 		return Err404
 	} else if 200 <= resp.StatusCode && resp.StatusCode < 300 {
 		return nil
 	} else {
 		return fmt.Errorf("HTTP error: %v", resp.Status)
 	}
 }
--- a/irc/webpush/webpush_test.go
+++ b/irc/webpush/webpush_test.go
@ -1,57 +0,0 @@
 package webpush
 import (
 	"strings"
 	"testing"
 	"time"
 	"github.com/ergochat/irc-go/ircmsg"
 	"github.com/ergochat/ergo/irc/utils"
 )
 func TestBuildPushLine(t *testing.T) {
 	now, err := time.Parse(utils.IRCv3TimestampFormat, "2025-01-12T00:55:44.403Z")
 	if err != nil {
 		panic(err)
 	}
 	line, err := MakePushLine(now, "*", "ergo.test", "MARKREAD", "#ergo", "timestamp=2025-01-12T00:07:57.972Z")
 	if err != nil {
 		t.Fatal(err)
 	}
 	if string(line) != "@time=2025-01-12T00:55:44.403Z :ergo.test MARKREAD #ergo timestamp=2025-01-12T00:07:57.972Z" {
 		t.Errorf("got wrong line output: %s", line)
 	}
 }
 func TestBuildPushMessage(t *testing.T) {
 	now, err := time.Parse(utils.IRCv3TimestampFormat, "2025-01-12T01:05:04.422Z")
 	if err != nil {
 		panic(err)
 	}
 	lineBytes, err := MakePushMessage("PRIVMSG", "shivaram!~u@kca7nfgniet7q.irc", "shivaram", "#redacted", utils.SplitMessage{
 		Message: "[redacted message contents]",
 		Msgid:   "t8st5bb4b9qhed3zs3pwspinca",
 		Time:    now,
 	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	line := string(lineBytes)
 	parsed, err := ircmsg.ParseLineStrict(line, false, 512)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if ok, account := parsed.GetTag("account"); !ok || account != "shivaram" {
 		t.Fatalf("bad account tag %s", account)
 	}
 	if ok, timestamp := parsed.GetTag("time"); !ok || timestamp != "2025-01-12T01:05:04.422Z" {
 		t.Fatal("bad time")
 	}
 	idx := strings.IndexByte(line, ' ')
 	if line[idx+1:] != ":shivaram!~u@kca7nfgniet7q.irc PRIVMSG #redacted :[redacted message contents]" {
 		t.Fatal("bad line")
 	}
 }
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit ccdacd990a09ac3cd3591613b8d7fee4301e08c8
+Subproject commit af980ed3b639b5e1b3749c74027872adb69922a7
--- a/traditional.yaml
+++ b/traditional.yaml
@ -74,7 +74,6 @@ server:
        max-connections-per-duration: 64
    # strict transport security, to get clients to automagically use TLS
    # (irrelevant in the recommended configuration, with no public plaintext listener)
    sts:
        # whether to advertise STS
        #
@ -348,17 +347,6 @@ server:
    # if you don't want to publicize how popular the server is
    suppress-lusers: false
    # publish additional key-value pairs in ISUPPORT (the 005 numeric).
    # keys that collide with a key published by Ergo will be silently ignored.
    additional-isupport:
        #"draft/FILEHOST": "https://example.com/filehost"
        #"draft/bazbat": "" # empty string means no value
    # optionally map command alias names to existing ergo commands. most deployments
    # should ignore this.
    #command-aliases:
        #"UMGEBUNG": "AMBIANCE"
 # account options
 accounts:
    # is account authentication enabled, i.e., can users log into existing accounts?
@ -494,7 +482,7 @@ accounts:
        # 1. these nicknames cannot be registered or reserved
        # 2. if a client is automatically renamed by the server,
        #    this is the template that will be used (e.g., Guest-nccj6rgmt97cg)
-        # 3. if force-guest-format (see below) is enabled, clients without
+        # 3. if enforce-guest-format (see below) is enabled, clients without
        #    a registered account will have this template applied to their
        #    nicknames (e.g., 'katie' will become 'Guest-katie')
        guest-nickname-format: "Guest-*"
@ -695,7 +683,6 @@ oper-classes:
            - "history"      # modify or delete history messages
            - "defcon"       # use the DEFCON command (restrict server capabilities)
            - "massmessage"  # message all users on the server
            - "metadata"     # modify arbitrary metadata on channels and users
 # ircd operators
 opers:
@ -760,7 +747,7 @@ logging:
        # be logged, even if you explicitly include it
        #
        # useful types include:
-        #   *               everything (usually used with excluding some types below)
+        #   *               everything (usually used with exclusing some types below)
        #   server          server startup, rehash, and shutdown events
        #   accounts        account registration and authentication
        #   channels        channel creation and operations
@ -804,7 +791,7 @@ lock-file: "ircd.lock"
 # datastore configuration
 datastore:
-    # path to the database file (used to store account and channel registrations):
+    # path to the datastore
    path: ircd.db
    # if the database schema requires an upgrade, `autoupgrade` will attempt to
@ -906,7 +893,6 @@ fakelag:
        "MARKREAD":    16
        "MONITOR":     1
        "WHO":         4
        "WEBPUSH":     1
 # the roleplay commands are semi-standardized extensions to IRC that allow
 # sending and receiving messages from pseudo-nicknames. this can be used either
@ -925,12 +911,6 @@ roleplay:
    # add the real nickname, in parentheses, to the end of every roleplay message?
    add-suffix: true
    # allow customizing the NUH's sent for NPC and SCENE commands
    # NPC: the first %s is the NPC name, the second is the user's real nick
    #npc-nick-mask: "*%s*!%s@npc.fakeuser.invalid"
    # SCENE: the %s is the client's real nick
    #scene-nick-mask: "=Scene=!%s@npc.fakeuser.invalid"
 # external services can integrate with the ircd using JSON Web Tokens (https://jwt.io).
 # in effect, the server can sign a token attesting that the client is present on
 # the server, is a member of a particular channel, etc.
@ -1058,51 +1038,3 @@ history:
 # whether to allow customization of the config at runtime using environment variables,
 # e.g., ERGO__SERVER__MAX_SENDQ=128k. see the manual for more details.
 allow-environment-overrides: true
 # metadata support for setting key/value data on channels and nicknames.
 metadata:
    # can clients store metadata?
    enabled: true
    # how many keys can a client subscribe to?
    max-subs: 100
    # how many keys can be stored per entity?
    max-keys: 100
 # experimental support for mobile push notifications
 # see the manual for potential security, privacy, and performance implications.
 # DO NOT enable if you are running a Tor or I2P hidden service (i.e. one
 # with no public IP listeners, only Tor/I2P listeners).
 webpush:
    # are push notifications enabled at all?
    enabled: false
    # request timeout for POST'ing the http notification
    timeout: 10s
    # delay sending the notification for this amount of time, then suppress it
    # if the client sent MARKREAD to indicate that it was read on another device
    delay: 0s
    # subscriber field for the VAPID JWT authorization:
    #subscriber: "https://your-website.com/"
    # maximum number of push subscriptions per user
    max-subscriptions: 4
    # expiration time for a push subscription; it must be renewed within this time
    # by the client reconnecting to IRC. we also detect whether the client is no longer
    # successfully receiving push messages.
    expiration: 14d
 # HTTP API. we strongly recommend leaving this disabled unless you have a specific
 # need for it.
 api:
    # is the API enabled at all?
    enabled: false
    # listen address:
    listener: "127.0.0.1:8089"
    # serve over TLS (strongly recommended if the listener is public):
    #tls:
        #cert: fullchain.pem
        #key: privkey.pem
    # one or more static bearer tokens accepted for HTTP bearer authentication.
    # these must be strong, unique, high-entropy printable ASCII strings.
    # to generate a new token, use `ergo gentoken` or:
    # python3 -c "import secrets; print(secrets.token_urlsafe(32))"
    bearer-tokens:
        - "example"
--- a/vendor/github.com/emersion/go-msgauth/dkim/canonical.go
+++ b/vendor/github.com/emersion/go-msgauth/dkim/canonical.go
@ -1,199 +0,0 @@
 package dkim
 import (
 	"io"
 	"strings"
 )
 // Canonicalization is a canonicalization algorithm.
 type Canonicalization string
 const (
 	CanonicalizationSimple  Canonicalization = "simple"
 	CanonicalizationRelaxed                  = "relaxed"
 )
 type canonicalizer interface {
 	CanonicalizeHeader(s string) string
 	CanonicalizeBody(w io.Writer) io.WriteCloser
 }
 var canonicalizers = map[Canonicalization]canonicalizer{
 	CanonicalizationSimple:  new(simpleCanonicalizer),
 	CanonicalizationRelaxed: new(relaxedCanonicalizer),
 }
 // crlfFixer fixes any lone LF without a preceding CR.
 type crlfFixer struct {
 	cr bool
 }
 func (cf *crlfFixer) Fix(b []byte) []byte {
 	res := make([]byte, 0, len(b))
 	for _, ch := range b {
 		prevCR := cf.cr
 		cf.cr = false
 		switch ch {
 		case '\r':
 			cf.cr = true
 		case '\n':
 			if !prevCR {
 				res = append(res, '\r')
 			}
 		}
 		res = append(res, ch)
 	}
 	return res
 }
 type simpleCanonicalizer struct{}
 func (c *simpleCanonicalizer) CanonicalizeHeader(s string) string {
 	return s
 }
 type simpleBodyCanonicalizer struct {
 	w         io.Writer
 	crlfBuf   []byte
 	crlfFixer crlfFixer
 }
 func (c *simpleBodyCanonicalizer) Write(b []byte) (int, error) {
 	written := len(b)
 	b = append(c.crlfBuf, b...)
 	b = c.crlfFixer.Fix(b)
 	end := len(b)
 	// If it ends with \r, maybe the next write will begin with \n
 	if end > 0 && b[end-1] == '\r' {
 		end--
 	}
 	// Keep all \r\n sequences
 	for end >= 2 {
 		prev := b[end-2]
 		cur := b[end-1]
 		if prev != '\r' || cur != '\n' {
 			break
 		}
 		end -= 2
 	}
 	c.crlfBuf = b[end:]
 	var err error
 	if end > 0 {
 		_, err = c.w.Write(b[:end])
 	}
 	return written, err
 }
 func (c *simpleBodyCanonicalizer) Close() error {
 	// Flush crlfBuf if it ends with a single \r (without a matching \n)
 	if len(c.crlfBuf) > 0 && c.crlfBuf[len(c.crlfBuf)-1] == '\r' {
 		if _, err := c.w.Write(c.crlfBuf); err != nil {
 			return err
 		}
 	}
 	c.crlfBuf = nil
 	if _, err := c.w.Write([]byte(crlf)); err != nil {
 		return err
 	}
 	return nil
 }
 func (c *simpleCanonicalizer) CanonicalizeBody(w io.Writer) io.WriteCloser {
 	return &simpleBodyCanonicalizer{w: w}
 }
 type relaxedCanonicalizer struct{}
 func (c *relaxedCanonicalizer) CanonicalizeHeader(s string) string {
 	k, v, ok := strings.Cut(s, ":")
 	if !ok {
 		return strings.TrimSpace(strings.ToLower(s)) + ":" + crlf
 	}
 	k = strings.TrimSpace(strings.ToLower(k))
 	v = strings.Join(strings.FieldsFunc(v, func(r rune) bool {
 		return r == ' ' || r == '\t' || r == '\n' || r == '\r'
 	}), " ")
 	return k + ":" + v + crlf
 }
 type relaxedBodyCanonicalizer struct {
 	w         io.Writer
 	crlfBuf   []byte
 	wsp       bool
 	written   bool
 	crlfFixer crlfFixer
 }
 func (c *relaxedBodyCanonicalizer) Write(b []byte) (int, error) {
 	written := len(b)
 	b = c.crlfFixer.Fix(b)
 	canonical := make([]byte, 0, len(b))
 	for _, ch := range b {
 		if ch == ' ' || ch == '\t' {
 			c.wsp = true
 		} else if ch == '\r' || ch == '\n' {
 			c.wsp = false
 			c.crlfBuf = append(c.crlfBuf, ch)
 		} else {
 			if len(c.crlfBuf) > 0 {
 				canonical = append(canonical, c.crlfBuf...)
 				c.crlfBuf = c.crlfBuf[:0]
 			}
 			if c.wsp {
 				canonical = append(canonical, ' ')
 				c.wsp = false
 			}
 			canonical = append(canonical, ch)
 		}
 	}
 	if !c.written && len(canonical) > 0 {
 		c.written = true
 	}
 	_, err := c.w.Write(canonical)
 	return written, err
 }
 func (c *relaxedBodyCanonicalizer) Close() error {
 	if c.written {
 		if _, err := c.w.Write([]byte(crlf)); err != nil {
 			return err
 		}
 	}
 	return nil
 }
 func (c *relaxedCanonicalizer) CanonicalizeBody(w io.Writer) io.WriteCloser {
 	return &relaxedBodyCanonicalizer{w: w}
 }
 type limitedWriter struct {
 	W io.Writer
 	N int64
 }
 func (w *limitedWriter) Write(b []byte) (int, error) {
 	if w.N <= 0 {
 		return len(b), nil
 	}
 	skipped := 0
 	if int64(len(b)) > w.N {
 		b = b[:w.N]
 		skipped = int(int64(len(b)) - w.N)
 	}
 	n, err := w.W.Write(b)
 	w.N -= int64(n)
 	return n + skipped, err
 }
--- a/vendor/github.com/emersion/go-msgauth/dkim/dkim.go
+++ b/vendor/github.com/emersion/go-msgauth/dkim/dkim.go
@ -1,23 +0,0 @@
 // Package dkim creates and verifies DKIM signatures, as specified in RFC 6376.
 //
 // # FAQ
 //
 // Why can't I verify a [net/mail.Message] directly? A [net/mail.Message]
 // header is already parsed, and whitespace characters (especially continuation
 // lines) are removed. Thus, the signature computed from the parsed header is
 // not the same as the one computed from the raw header.
 //
 // How can I publish my public key? You have to add a TXT record to your DNS
 // zone. See [RFC 6376 appendix C]. You can use the dkim-keygen tool included
 // in go-msgauth to generate the key and the TXT record.
 //
 // [RFC 6376 appendix C]: https://tools.ietf.org/html/rfc6376#appendix-C
 package dkim
 import (
 	"time"
 )
 var now = time.Now
 const headerFieldName = "DKIM-Signature"
--- a/vendor/github.com/emersion/go-msgauth/dkim/header.go
+++ b/vendor/github.com/emersion/go-msgauth/dkim/header.go
@ -1,172 +0,0 @@
 package dkim
 import (
 	"bufio"
 	"bytes"
 	"errors"
 	"fmt"
 	"io"
 	"net/textproto"
 	"sort"
 	"strings"
 )
 const crlf = "\r\n"
 type header []string
 func readHeader(r *bufio.Reader) (header, error) {
 	tr := textproto.NewReader(r)
 	var h header
 	for {
 		l, err := tr.ReadLine()
 		if err != nil {
 			return h, fmt.Errorf("failed to read header: %v", err)
 		}
 		if len(l) == 0 {
 			break
 		} else if len(h) > 0 && (l[0] == ' ' || l[0] == '\t') {
 			// This is a continuation line
 			h[len(h)-1] += l + crlf
 		} else {
 			h = append(h, l+crlf)
 		}
 	}
 	return h, nil
 }
 func writeHeader(w io.Writer, h header) error {
 	for _, kv := range h {
 		if _, err := w.Write([]byte(kv)); err != nil {
 			return err
 		}
 	}
 	_, err := w.Write([]byte(crlf))
 	return err
 }
 func foldHeaderField(kv string) string {
 	buf := bytes.NewBufferString(kv)
 	line := make([]byte, 75) // 78 - len("\r\n\s")
 	first := true
 	var fold strings.Builder
 	for len, err := buf.Read(line); err != io.EOF; len, err = buf.Read(line) {
 		if first {
 			first = false
 		} else {
 			fold.WriteString("\r\n ")
 		}
 		fold.Write(line[:len])
 	}
 	return fold.String() + crlf
 }
 func parseHeaderField(s string) (string, string) {
 	key, value, _ := strings.Cut(s, ":")
 	return strings.TrimSpace(key), strings.TrimSpace(value)
 }
 func parseHeaderParams(s string) (map[string]string, error) {
 	pairs := strings.Split(s, ";")
 	params := make(map[string]string)
 	for _, s := range pairs {
 		key, value, ok := strings.Cut(s, "=")
 		if !ok {
 			if strings.TrimSpace(s) == "" {
 				continue
 			}
 			return params, errors.New("dkim: malformed header params")
 		}
 		trimmedKey := strings.TrimSpace(key)
 		_, present := params[trimmedKey]
 		if present {
 			return params, errors.New("dkim: duplicate tag name")
 		}
 		params[trimmedKey] = strings.TrimSpace(value)
 	}
 	return params, nil
 }
 func formatHeaderParams(headerFieldName string, params map[string]string) string {
 	keys, bvalue, bfound := sortParams(params)
 	s := headerFieldName + ":"
 	var line string
 	for _, k := range keys {
 		v := params[k]
 		nextLength := 3 + len(line) + len(v) + len(k)
 		if nextLength > 75 {
 			s += line + crlf
 			line = ""
 		}
 		line = fmt.Sprintf("%v %v=%v;", line, k, v)
 	}
 	if line != "" {
 		s += line
 	}
 	if bfound {
 		bfiled := foldHeaderField(" b=" + bvalue)
 		s += crlf + bfiled
 	}
 	return s
 }
 func sortParams(params map[string]string) ([]string, string, bool) {
 	keys := make([]string, 0, len(params))
 	bfound := false
 	var bvalue string
 	for k := range params {
 		if k == "b" {
 			bvalue = params["b"]
 			bfound = true
 		} else {
 			keys = append(keys, k)
 		}
 	}
 	sort.Strings(keys)
 	return keys, bvalue, bfound
 }
 type headerPicker struct {
 	h      header
 	picked map[string]int
 }
 func newHeaderPicker(h header) *headerPicker {
 	return &headerPicker{
 		h:      h,
 		picked: make(map[string]int),
 	}
 }
 func (p *headerPicker) Pick(key string) string {
 	key = strings.ToLower(key)
 	at := p.picked[key]
 	for i := len(p.h) - 1; i >= 0; i-- {
 		kv := p.h[i]
 		k, _ := parseHeaderField(kv)
 		if !strings.EqualFold(k, key) {
 			continue
 		}
 		if at == 0 {
 			p.picked[key]++
 			return kv
 		}
 		at--
 	}
 	return ""
 }
--- a/vendor/github.com/emersion/go-msgauth/dkim/query.go
+++ b/vendor/github.com/emersion/go-msgauth/dkim/query.go
@ -1,184 +0,0 @@
 package dkim
 import (
 	"crypto"
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"net"
 	"strings"
 	"golang.org/x/crypto/ed25519"
 )
 type verifier interface {
 	Public() crypto.PublicKey
 	Verify(hash crypto.Hash, hashed []byte, sig []byte) error
 }
 type rsaVerifier struct {
 	*rsa.PublicKey
 }
 func (v rsaVerifier) Public() crypto.PublicKey {
 	return v.PublicKey
 }
 func (v rsaVerifier) Verify(hash crypto.Hash, hashed, sig []byte) error {
 	return rsa.VerifyPKCS1v15(v.PublicKey, hash, hashed, sig)
 }
 type ed25519Verifier struct {
 	ed25519.PublicKey
 }
 func (v ed25519Verifier) Public() crypto.PublicKey {
 	return v.PublicKey
 }
 func (v ed25519Verifier) Verify(hash crypto.Hash, hashed, sig []byte) error {
 	if !ed25519.Verify(v.PublicKey, hashed, sig) {
 		return errors.New("dkim: invalid Ed25519 signature")
 	}
 	return nil
 }
 type queryResult struct {
 	Verifier  verifier
 	KeyAlgo   string
 	HashAlgos []string
 	Notes     string
 	Services  []string
 	Flags     []string
 }
 // QueryMethod is a DKIM query method.
 type QueryMethod string
 const (
 	// DNS TXT resource record (RR) lookup algorithm
 	QueryMethodDNSTXT QueryMethod = "dns/txt"
 )
 type txtLookupFunc func(domain string) ([]string, error)
 type queryFunc func(domain, selector string, txtLookup txtLookupFunc) (*queryResult, error)
 var queryMethods = map[QueryMethod]queryFunc{
 	QueryMethodDNSTXT: queryDNSTXT,
 }
 func queryDNSTXT(domain, selector string, txtLookup txtLookupFunc) (*queryResult, error) {
 	if txtLookup == nil {
 		txtLookup = net.LookupTXT
 	}
 	txts, err := txtLookup(selector + "._domainkey." + domain)
 	if netErr, ok := err.(net.Error); ok && netErr.Temporary() {
 		return nil, tempFailError("key unavailable: " + err.Error())
 	} else if err != nil {
 		return nil, permFailError("no key for signature: " + err.Error())
 	}
 	// net.LookupTXT will concatenate strings contained in a single TXT record.
 	// In other words, net.LookupTXT returns one entry per TXT record, even if
 	// a record contains multiple strings.
 	//
 	// RFC 6376 section 3.6.2.2 says multiple TXT records lead to undefined
 	// behavior, so reject that.
 	switch len(txts) {
 	case 0:
 		return nil, permFailError("no valid key found")
 	case 1:
 		return parsePublicKey(txts[0])
 	default:
 		return nil, permFailError("multiple TXT records found for key")
 	}
 }
 func parsePublicKey(s string) (*queryResult, error) {
 	params, err := parseHeaderParams(s)
 	if err != nil {
 		return nil, permFailError("key record error: " + err.Error())
 	}
 	res := new(queryResult)
 	if v, ok := params["v"]; ok && v != "DKIM1" {
 		return nil, permFailError("incompatible public key version")
 	}
 	p, ok := params["p"]
 	if !ok {
 		return nil, permFailError("key syntax error: missing public key data")
 	}
 	if p == "" {
 		return nil, permFailError("key revoked")
 	}
 	p = strings.ReplaceAll(p, " ", "")
 	b, err := base64.StdEncoding.DecodeString(p)
 	if err != nil {
 		return nil, permFailError("key syntax error: " + err.Error())
 	}
 	switch params["k"] {
 	case "rsa", "":
 		pub, err := x509.ParsePKIXPublicKey(b)
 		if err != nil {
 			// RFC 6376 is inconsistent about whether RSA public keys should
 			// be formatted as RSAPublicKey or SubjectPublicKeyInfo.
 			// Erratum 3017 (https://www.rfc-editor.org/errata/eid3017) proposes
 			// allowing both.
 			pub, err = x509.ParsePKCS1PublicKey(b)
 			if err != nil {
 				return nil, permFailError("key syntax error: " + err.Error())
 			}
 		}
 		rsaPub, ok := pub.(*rsa.PublicKey)
 		if !ok {
 			return nil, permFailError("key syntax error: not an RSA public key")
 		}
 		// RFC 8301 section 3.2: verifiers MUST NOT consider signatures using
 		// RSA keys of less than 1024 bits as valid signatures.
 		if rsaPub.Size()*8 < 1024 {
 			return nil, permFailError(fmt.Sprintf("key is too short: want 1024 bits, has %v bits", rsaPub.Size()*8))
 		}
 		res.Verifier = rsaVerifier{rsaPub}
 		res.KeyAlgo = "rsa"
 	case "ed25519":
 		if len(b) != ed25519.PublicKeySize {
 			return nil, permFailError(fmt.Sprintf("invalid Ed25519 public key size: %v bytes", len(b)))
 		}
 		ed25519Pub := ed25519.PublicKey(b)
 		res.Verifier = ed25519Verifier{ed25519Pub}
 		res.KeyAlgo = "ed25519"
 	default:
 		return nil, permFailError("unsupported key algorithm")
 	}
 	if hashesStr, ok := params["h"]; ok {
 		res.HashAlgos = parseTagList(hashesStr)
 	}
 	if notes, ok := params["n"]; ok {
 		res.Notes = notes
 	}
 	if servicesStr, ok := params["s"]; ok {
 		services := parseTagList(servicesStr)
 		hasWildcard := false
 		for _, s := range services {
 			if s == "*" {
 				hasWildcard = true
 				break
 			}
 		}
 		if !hasWildcard {
 			res.Services = services
 		}
 	}
 	if flagsStr, ok := params["t"]; ok {
 		res.Flags = parseTagList(flagsStr)
 	}
 	return res, nil
 }
--- a/vendor/github.com/emersion/go-msgauth/dkim/sign.go
+++ b/vendor/github.com/emersion/go-msgauth/dkim/sign.go
@ -1,346 +0,0 @@
 package dkim
 import (
 	"bufio"
 	"bytes"
 	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
 	"encoding/base64"
 	"fmt"
 	"io"
 	"strconv"
 	"strings"
 	"time"
 	"golang.org/x/crypto/ed25519"
 )
 var randReader io.Reader = rand.Reader
 // SignOptions is used to configure Sign. Domain, Selector and Signer are
 // mandatory.
 type SignOptions struct {
 	// The SDID claiming responsibility for an introduction of a message into the
 	// mail stream. Hence, the SDID value is used to form the query for the public
 	// key. The SDID MUST correspond to a valid DNS name under which the DKIM key
 	// record is published.
 	//
 	// This can't be empty.
 	Domain string
 	// The selector subdividing the namespace for the domain.
 	//
 	// This can't be empty.
 	Selector string
 	// The Agent or User Identifier (AUID) on behalf of which the SDID is taking
 	// responsibility.
 	//
 	// This is optional.
 	Identifier string
 	// The key used to sign the message.
 	//
 	// Supported Signer.Public() values are *rsa.PublicKey and
 	// ed25519.PublicKey.
 	Signer crypto.Signer
 	// The hash algorithm used to sign the message. If zero, a default hash will
 	// be chosen.
 	//
 	// The only supported hash algorithm is crypto.SHA256.
 	Hash crypto.Hash
 	// Header and body canonicalization algorithms.
 	//
 	// If empty, CanonicalizationSimple is used.
 	HeaderCanonicalization Canonicalization
 	BodyCanonicalization   Canonicalization
 	// A list of header fields to include in the signature. If nil, all headers
 	// will be included. If not nil, "From" MUST be in the list.
 	//
 	// See RFC 6376 section 5.4.1 for recommended header fields.
 	HeaderKeys []string
 	// The expiration time. A zero value means no expiration.
 	Expiration time.Time
 	// A list of query methods used to retrieve the public key.
 	//
 	// If nil, it is implicitly defined as QueryMethodDNSTXT.
 	QueryMethods []QueryMethod
 }
 // Signer generates a DKIM signature.
 //
 // The whole message header and body must be written to the Signer. Close should
 // always be called (either after the whole message has been written, or after
 // an error occurred and the signer won't be used anymore). Close may return an
 // error in case signing fails.
 //
 // After a successful Close, Signature can be called to retrieve the
 // DKIM-Signature header field that the caller should prepend to the message.
 type Signer struct {
 	pw        *io.PipeWriter
 	done      <-chan error
 	sigParams map[string]string // only valid after done received nil
 }
 // NewSigner creates a new signer. It returns an error if SignOptions is
 // invalid.
 func NewSigner(options *SignOptions) (*Signer, error) {
 	if options == nil {
 		return nil, fmt.Errorf("dkim: no options specified")
 	}
 	if options.Domain == "" {
 		return nil, fmt.Errorf("dkim: no domain specified")
 	}
 	if options.Selector == "" {
 		return nil, fmt.Errorf("dkim: no selector specified")
 	}
 	if options.Signer == nil {
 		return nil, fmt.Errorf("dkim: no signer specified")
 	}
 	headerCan := options.HeaderCanonicalization
 	if headerCan == "" {
 		headerCan = CanonicalizationSimple
 	}
 	if _, ok := canonicalizers[headerCan]; !ok {
 		return nil, fmt.Errorf("dkim: unknown header canonicalization %q", headerCan)
 	}
 	bodyCan := options.BodyCanonicalization
 	if bodyCan == "" {
 		bodyCan = CanonicalizationSimple
 	}
 	if _, ok := canonicalizers[bodyCan]; !ok {
 		return nil, fmt.Errorf("dkim: unknown body canonicalization %q", bodyCan)
 	}
 	var keyAlgo string
 	switch options.Signer.Public().(type) {
 	case *rsa.PublicKey:
 		keyAlgo = "rsa"
 	case ed25519.PublicKey:
 		keyAlgo = "ed25519"
 	default:
 		return nil, fmt.Errorf("dkim: unsupported key algorithm %T", options.Signer.Public())
 	}
 	hash := options.Hash
 	var hashAlgo string
 	switch options.Hash {
 	case 0: // sha256 is the default
 		hash = crypto.SHA256
 		fallthrough
 	case crypto.SHA256:
 		hashAlgo = "sha256"
 	case crypto.SHA1:
 		return nil, fmt.Errorf("dkim: hash algorithm too weak: sha1")
 	default:
 		return nil, fmt.Errorf("dkim: unsupported hash algorithm")
 	}
 	if options.HeaderKeys != nil {
 		ok := false
 		for _, k := range options.HeaderKeys {
 			if strings.EqualFold(k, "From") {
 				ok = true
 				break
 			}
 		}
 		if !ok {
 			return nil, fmt.Errorf("dkim: the From header field must be signed")
 		}
 	}
 	done := make(chan error, 1)
 	pr, pw := io.Pipe()
 	s := &Signer{
 		pw:   pw,
 		done: done,
 	}
 	closeReadWithError := func(err error) {
 		pr.CloseWithError(err)
 		done <- err
 	}
 	go func() {
 		defer close(done)
 		// Read header
 		br := bufio.NewReader(pr)
 		h, err := readHeader(br)
 		if err != nil {
 			closeReadWithError(err)
 			return
 		}
 		// Hash body
 		hasher := hash.New()
 		can := canonicalizers[bodyCan].CanonicalizeBody(hasher)
 		if _, err := io.Copy(can, br); err != nil {
 			closeReadWithError(err)
 			return
 		}
 		if err := can.Close(); err != nil {
 			closeReadWithError(err)
 			return
 		}
 		bodyHashed := hasher.Sum(nil)
 		params := map[string]string{
 			"v":  "1",
 			"a":  keyAlgo + "-" + hashAlgo,
 			"bh": base64.StdEncoding.EncodeToString(bodyHashed),
 			"c":  string(headerCan) + "/" + string(bodyCan),
 			"d":  options.Domain,
 			//"l": "", // TODO
 			"s": options.Selector,
 			"t": formatTime(now()),
 			//"z": "", // TODO
 		}
 		var headerKeys []string
 		if options.HeaderKeys != nil {
 			headerKeys = options.HeaderKeys
 		} else {
 			for _, kv := range h {
 				k, _ := parseHeaderField(kv)
 				headerKeys = append(headerKeys, k)
 			}
 		}
 		params["h"] = formatTagList(headerKeys)
 		if options.Identifier != "" {
 			params["i"] = options.Identifier
 		}
 		if options.QueryMethods != nil {
 			methods := make([]string, len(options.QueryMethods))
 			for i, method := range options.QueryMethods {
 				methods[i] = string(method)
 			}
 			params["q"] = formatTagList(methods)
 		}
 		if !options.Expiration.IsZero() {
 			params["x"] = formatTime(options.Expiration)
 		}
 		// Hash and sign headers
 		hasher.Reset()
 		picker := newHeaderPicker(h)
 		for _, k := range headerKeys {
 			kv := picker.Pick(k)
 			if kv == "" {
 				// The Signer MAY include more instances of a header field name
 				// in "h=" than there are actual corresponding header fields so
 				// that the signature will not verify if additional header
 				// fields of that name are added.
 				continue
 			}
 			kv = canonicalizers[headerCan].CanonicalizeHeader(kv)
 			if _, err := io.WriteString(hasher, kv); err != nil {
 				closeReadWithError(err)
 				return
 			}
 		}
 		params["b"] = ""
 		sigField := formatSignature(params)
 		sigField = canonicalizers[headerCan].CanonicalizeHeader(sigField)
 		sigField = strings.TrimRight(sigField, crlf)
 		if _, err := io.WriteString(hasher, sigField); err != nil {
 			closeReadWithError(err)
 			return
 		}
 		hashed := hasher.Sum(nil)
 		// Don't pass Hash to Sign for ed25519 as it doesn't support it
 		// and will return an error ("ed25519: cannot sign hashed message").
 		if keyAlgo == "ed25519" {
 			hash = crypto.Hash(0)
 		}
 		sig, err := options.Signer.Sign(randReader, hashed, hash)
 		if err != nil {
 			closeReadWithError(err)
 			return
 		}
 		params["b"] = base64.StdEncoding.EncodeToString(sig)
 		s.sigParams = params
 		closeReadWithError(nil)
 	}()
 	return s, nil
 }
 // Write implements io.WriteCloser.
 func (s *Signer) Write(b []byte) (n int, err error) {
 	return s.pw.Write(b)
 }
 // Close implements io.WriteCloser. The error return by Close must be checked.
 func (s *Signer) Close() error {
 	if err := s.pw.Close(); err != nil {
 		return err
 	}
 	return <-s.done
 }
 // Signature returns the whole DKIM-Signature header field. It can only be
 // called after a successful Signer.Close call.
 //
 // The returned value contains both the header field name, its value and the
 // final CRLF.
 func (s *Signer) Signature() string {
 	if s.sigParams == nil {
 		panic("dkim: Signer.Signature must only be called after a succesful Signer.Close")
 	}
 	return formatSignature(s.sigParams)
 }
 // Sign signs a message. It reads it from r and writes the signed version to w.
 func Sign(w io.Writer, r io.Reader, options *SignOptions) error {
 	s, err := NewSigner(options)
 	if err != nil {
 		return err
 	}
 	defer s.Close()
 	// We need to keep the message in a buffer so we can write the new DKIM
 	// header field before the rest of the message
 	var b bytes.Buffer
 	mw := io.MultiWriter(&b, s)
 	if _, err := io.Copy(mw, r); err != nil {
 		return err
 	}
 	if err := s.Close(); err != nil {
 		return err
 	}
 	if _, err := io.WriteString(w, s.Signature()); err != nil {
 		return err
 	}
 	_, err = io.Copy(w, &b)
 	return err
 }
 func formatSignature(params map[string]string) string {
 	sig := formatHeaderParams(headerFieldName, params)
 	return sig
 }
 func formatTagList(l []string) string {
 	return strings.Join(l, ":")
 }
 func formatTime(t time.Time) string {
 	return strconv.FormatInt(t.Unix(), 10)
 }
--- a/vendor/github.com/emersion/go-msgauth/dkim/verify.go
+++ b/vendor/github.com/emersion/go-msgauth/dkim/verify.go
@ -1,462 +0,0 @@
 package dkim
 import (
 	"bufio"
 	"crypto"
 	"crypto/subtle"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"regexp"
 	"strconv"
 	"strings"
 	"time"
 	"unicode"
 )
 type permFailError string
 func (err permFailError) Error() string {
 	return "dkim: " + string(err)
 }
 // IsPermFail returns true if the error returned by Verify is a permanent
 // failure. A permanent failure is for instance a missing required field or a
 // malformed header.
 func IsPermFail(err error) bool {
 	_, ok := err.(permFailError)
 	return ok
 }
 type tempFailError string
 func (err tempFailError) Error() string {
 	return "dkim: " + string(err)
 }
 // IsTempFail returns true if the error returned by Verify is a temporary
 // failure.
 func IsTempFail(err error) bool {
 	_, ok := err.(tempFailError)
 	return ok
 }
 type failError string
 func (err failError) Error() string {
 	return "dkim: " + string(err)
 }
 // isFail returns true if the error returned by Verify is a signature error.
 func isFail(err error) bool {
 	_, ok := err.(failError)
 	return ok
 }
 // ErrTooManySignatures is returned by Verify when the message exceeds the
 // maximum number of signatures.
 var ErrTooManySignatures = errors.New("dkim: too many signatures")
 var requiredTags = []string{"v", "a", "b", "bh", "d", "h", "s"}
 // A Verification is produced by Verify when it checks if one signature is
 // valid. If the signature is valid, Err is nil.
 type Verification struct {
 	// The SDID claiming responsibility for an introduction of a message into the
 	// mail stream.
 	Domain string
 	// The Agent or User Identifier (AUID) on behalf of which the SDID is taking
 	// responsibility.
 	Identifier string
 	// The list of signed header fields.
 	HeaderKeys []string
 	// The time that this signature was created. If unknown, it's set to zero.
 	Time time.Time
 	// The expiration time. If the signature doesn't expire, it's set to zero.
 	Expiration time.Time
 	// Err is nil if the signature is valid.
 	Err error
 }
 type signature struct {
 	i int
 	v string
 }
 // VerifyOptions allows to customize the default signature verification
 // behavior.
 type VerifyOptions struct {
 	// LookupTXT returns the DNS TXT records for the given domain name. If nil,
 	// net.LookupTXT is used.
 	LookupTXT func(domain string) ([]string, error)
 	// MaxVerifications controls the maximum number of signature verifications
 	// to perform. If more signatures are present, the first MaxVerifications
 	// signatures are verified, the rest are ignored and ErrTooManySignatures
 	// is returned. If zero, there is no maximum.
 	MaxVerifications int
 }
 // Verify checks if a message's signatures are valid. It returns one
 // verification per signature.
 //
 // There is no guarantee that the reader will be completely consumed.
 func Verify(r io.Reader) ([]*Verification, error) {
 	return VerifyWithOptions(r, nil)
 }
 // VerifyWithOptions performs the same task as Verify, but allows specifying
 // verification options.
 func VerifyWithOptions(r io.Reader, options *VerifyOptions) ([]*Verification, error) {
 	// Read header
 	bufr := bufio.NewReader(r)
 	h, err := readHeader(bufr)
 	if err != nil {
 		return nil, err
 	}
 	// Scan header fields for signatures
 	var signatures []*signature
 	for i, kv := range h {
 		k, v := parseHeaderField(kv)
 		if strings.EqualFold(k, headerFieldName) {
 			signatures = append(signatures, &signature{i, v})
 		}
 	}
 	tooManySignatures := false
 	if options != nil && options.MaxVerifications > 0 && len(signatures) > options.MaxVerifications {
 		tooManySignatures = true
 		signatures = signatures[:options.MaxVerifications]
 	}
 	var verifs []*Verification
 	if len(signatures) == 1 {
 		// If there is only one signature - just verify it.
 		v, err := verify(h, bufr, h[signatures[0].i], signatures[0].v, options)
 		if err != nil && !IsTempFail(err) && !IsPermFail(err) && !isFail(err) {
 			return nil, err
 		}
 		v.Err = err
 		verifs = []*Verification{v}
 	} else {
 		verifs, err = parallelVerify(bufr, h, signatures, options)
 		if err != nil {
 			return nil, err
 		}
 	}
 	if tooManySignatures {
 		return verifs, ErrTooManySignatures
 	}
 	return verifs, nil
 }
 func parallelVerify(r io.Reader, h header, signatures []*signature, options *VerifyOptions) ([]*Verification, error) {
 	pipeWriters := make([]*io.PipeWriter, len(signatures))
 	// We can't pass pipeWriter to io.MultiWriter directly,
 	// we need a slice of io.Writer, but we also need *io.PipeWriter
 	// to call Close on it.
 	writers := make([]io.Writer, len(signatures))
 	chans := make([]chan *Verification, len(signatures))
 	for i, sig := range signatures {
 		// Be careful with loop variables and goroutines.
 		i, sig := i, sig
 		chans[i] = make(chan *Verification, 1)
 		pr, pw := io.Pipe()
 		writers[i] = pw
 		pipeWriters[i] = pw
 		go func() {
 			v, err := verify(h, pr, h[sig.i], sig.v, options)
 			// Make sure we consume the whole reader, otherwise io.Copy on
 			// other side can block forever.
 			io.Copy(ioutil.Discard, pr)
 			v.Err = err
 			chans[i] <- v
 		}()
 	}
 	if _, err := io.Copy(io.MultiWriter(writers...), r); err != nil {
 		return nil, err
 	}
 	for _, wr := range pipeWriters {
 		wr.Close()
 	}
 	verifications := make([]*Verification, len(signatures))
 	for i, ch := range chans {
 		verifications[i] = <-ch
 	}
 	// Return unexpected failures as a separate error.
 	for _, v := range verifications {
 		err := v.Err
 		if err != nil && !IsTempFail(err) && !IsPermFail(err) && !isFail(err) {
 			v.Err = nil
 			return verifications, err
 		}
 	}
 	return verifications, nil
 }
 func verify(h header, r io.Reader, sigField, sigValue string, options *VerifyOptions) (*Verification, error) {
 	verif := new(Verification)
 	params, err := parseHeaderParams(sigValue)
 	if err != nil {
 		return verif, permFailError("malformed signature tags: " + err.Error())
 	}
 	if params["v"] != "1" {
 		return verif, permFailError("incompatible signature version")
 	}
 	verif.Domain = stripWhitespace(params["d"])
 	for _, tag := range requiredTags {
 		if _, ok := params[tag]; !ok {
 			return verif, permFailError("signature missing required tag")
 		}
 	}
 	if i, ok := params["i"]; ok {
 		verif.Identifier = stripWhitespace(i)
 		if !strings.HasSuffix(verif.Identifier, "@"+verif.Domain) && !strings.HasSuffix(verif.Identifier, "."+verif.Domain) {
 			return verif, permFailError("domain mismatch")
 		}
 	} else {
 		verif.Identifier = "@" + verif.Domain
 	}
 	headerKeys := parseTagList(params["h"])
 	ok := false
 	for _, k := range headerKeys {
 		if strings.EqualFold(k, "from") {
 			ok = true
 			break
 		}
 	}
 	if !ok {
 		return verif, permFailError("From field not signed")
 	}
 	verif.HeaderKeys = headerKeys
 	if timeStr, ok := params["t"]; ok {
 		t, err := parseTime(timeStr)
 		if err != nil {
 			return verif, permFailError("malformed time: " + err.Error())
 		}
 		verif.Time = t
 	}
 	if expiresStr, ok := params["x"]; ok {
 		t, err := parseTime(expiresStr)
 		if err != nil {
 			return verif, permFailError("malformed expiration time: " + err.Error())
 		}
 		verif.Expiration = t
 		if now().After(t) {
 			return verif, permFailError("signature has expired")
 		}
 	}
 	// Query public key
 	// TODO: compute hash in parallel
 	methods := []string{string(QueryMethodDNSTXT)}
 	if methodsStr, ok := params["q"]; ok {
 		methods = parseTagList(methodsStr)
 	}
 	var res *queryResult
 	for _, method := range methods {
 		if query, ok := queryMethods[QueryMethod(method)]; ok {
 			if options != nil {
 				res, err = query(verif.Domain, stripWhitespace(params["s"]), options.LookupTXT)
 			} else {
 				res, err = query(verif.Domain, stripWhitespace(params["s"]), nil)
 			}
 			break
 		}
 	}
 	if err != nil {
 		return verif, err
 	} else if res == nil {
 		return verif, permFailError("unsupported public key query method")
 	}
 	// Parse algos
 	keyAlgo, hashAlgo, ok := strings.Cut(stripWhitespace(params["a"]), "-")
 	if !ok {
 		return verif, permFailError("malformed algorithm name")
 	}
 	// Check hash algo
 	if res.HashAlgos != nil {
 		ok := false
 		for _, algo := range res.HashAlgos {
 			if algo == hashAlgo {
 				ok = true
 				break
 			}
 		}
 		if !ok {
 			return verif, permFailError("inappropriate hash algorithm")
 		}
 	}
 	var hash crypto.Hash
 	switch hashAlgo {
 	case "sha1":
 		// RFC 8301 section 3.1: rsa-sha1 MUST NOT be used for signing or
 		// verifying.
 		return verif, permFailError(fmt.Sprintf("hash algorithm too weak: %v", hashAlgo))
 	case "sha256":
 		hash = crypto.SHA256
 	default:
 		return verif, permFailError("unsupported hash algorithm")
 	}
 	// Check key algo
 	if res.KeyAlgo != keyAlgo {
 		return verif, permFailError("inappropriate key algorithm")
 	}
 	if res.Services != nil {
 		ok := false
 		for _, s := range res.Services {
 			if s == "email" {
 				ok = true
 				break
 			}
 		}
 		if !ok {
 			return verif, permFailError("inappropriate service")
 		}
 	}
 	headerCan, bodyCan := parseCanonicalization(params["c"])
 	if _, ok := canonicalizers[headerCan]; !ok {
 		return verif, permFailError("unsupported header canonicalization algorithm")
 	}
 	if _, ok := canonicalizers[bodyCan]; !ok {
 		return verif, permFailError("unsupported body canonicalization algorithm")
 	}
 	// The body length "l" parameter is insecure, because it allows parts of
 	// the message body to not be signed. Reject messages which have it set.
 	if _, ok := params["l"]; ok {
 		// TODO: technically should be policyError
 		return verif, failError("message contains an insecure body length tag")
 	}
 	// Parse body hash and signature
 	bodyHashed, err := decodeBase64String(params["bh"])
 	if err != nil {
 		return verif, permFailError("malformed body hash: " + err.Error())
 	}
 	sig, err := decodeBase64String(params["b"])
 	if err != nil {
 		return verif, permFailError("malformed signature: " + err.Error())
 	}
 	// Check body hash
 	hasher := hash.New()
 	wc := canonicalizers[bodyCan].CanonicalizeBody(hasher)
 	if _, err := io.Copy(wc, r); err != nil {
 		return verif, err
 	}
 	if err := wc.Close(); err != nil {
 		return verif, err
 	}
 	if subtle.ConstantTimeCompare(hasher.Sum(nil), bodyHashed) != 1 {
 		return verif, failError("body hash did not verify")
 	}
 	// Compute data hash
 	hasher.Reset()
 	picker := newHeaderPicker(h)
 	for _, key := range headerKeys {
 		kv := picker.Pick(key)
 		if kv == "" {
 			// The field MAY contain names of header fields that do not exist
 			// when signed; nonexistent header fields do not contribute to the
 			// signature computation
 			continue
 		}
 		kv = canonicalizers[headerCan].CanonicalizeHeader(kv)
 		if _, err := hasher.Write([]byte(kv)); err != nil {
 			return verif, err
 		}
 	}
 	canSigField := removeSignature(sigField)
 	canSigField = canonicalizers[headerCan].CanonicalizeHeader(canSigField)
 	canSigField = strings.TrimRight(canSigField, "\r\n")
 	if _, err := hasher.Write([]byte(canSigField)); err != nil {
 		return verif, err
 	}
 	hashed := hasher.Sum(nil)
 	// Check signature
 	if err := res.Verifier.Verify(hash, hashed, sig); err != nil {
 		return verif, failError("signature did not verify: " + err.Error())
 	}
 	return verif, nil
 }
 func parseTagList(s string) []string {
 	tags := strings.Split(s, ":")
 	for i, t := range tags {
 		tags[i] = stripWhitespace(t)
 	}
 	return tags
 }
 func parseCanonicalization(s string) (headerCan, bodyCan Canonicalization) {
 	headerCan = CanonicalizationSimple
 	bodyCan = CanonicalizationSimple
 	cans := strings.SplitN(stripWhitespace(s), "/", 2)
 	if cans[0] != "" {
 		headerCan = Canonicalization(cans[0])
 	}
 	if len(cans) > 1 {
 		bodyCan = Canonicalization(cans[1])
 	}
 	return
 }
 func parseTime(s string) (time.Time, error) {
 	sec, err := strconv.ParseInt(stripWhitespace(s), 10, 64)
 	if err != nil {
 		return time.Time{}, err
 	}
 	return time.Unix(sec, 0), nil
 }
 func decodeBase64String(s string) ([]byte, error) {
 	return base64.StdEncoding.DecodeString(stripWhitespace(s))
 }
 func stripWhitespace(s string) string {
 	return strings.Map(func(r rune) rune {
 		if unicode.IsSpace(r) {
 			return -1
 		}
 		return r
 	}, s)
 }
 var sigRegex = regexp.MustCompile(`(b\s*=)[^;]+`)
 func removeSignature(s string) string {
 	return sigRegex.ReplaceAllString(s, "$1")
 }
--- a/vendor/github.com/ergochat/irc-go/ircmsg/message.go
+++ b/vendor/github.com/ergochat/irc-go/ircmsg/message.go
@ -196,15 +196,6 @@ func trimInitialSpaces(str string) string {
 	return str[i:]
 }
 func isASCII(str string) bool {
 	for i := 0; i < len(str); i++ {
 		if str[i] > 127 {
 			return false
 		}
 	}
 	return true
 }
 func parseLine(line string, maxTagDataLength int, truncateLen int) (ircmsg Message, err error) {
 	// remove either \n or \r\n from the end of the line:
 	line = strings.TrimSuffix(line, "\n")
@ -274,16 +265,11 @@ func parseLine(line string, maxTagDataLength int, truncateLen int) (ircmsg Messa
 		commandEnd = len(line)
 		paramStart = len(line)
 	}
-	baseCommand := line[:commandEnd]
+	// normalize command to uppercase:
-	if len(baseCommand) == 0 {
+	ircmsg.Command = strings.ToUpper(line[:commandEnd])
 	if len(ircmsg.Command) == 0 {
 		return ircmsg, ErrorLineIsEmpty
 	}
 	// technically this must be either letters or a 3-digit numeric:
 	if !isASCII(baseCommand) {
 		return ircmsg, ErrorLineContainsBadChar
 	}
 	// normalize command to uppercase:
 	ircmsg.Command = strings.ToUpper(baseCommand)
 	line = line[paramStart:]
 	for {
--- a/vendor/github.com/ergochat/irc-go/ircutils/sasl.go
+++ b/vendor/github.com/ergochat/irc-go/ircutils/sasl.go
@ -3,6 +3,7 @@ package ircutils
 import (
 	"encoding/base64"
 	"errors"
 	"strings"
 )
 var (
@ -24,7 +25,6 @@ func EncodeSASLResponse(raw []byte) (result []string) {
 	}
 	response := base64.StdEncoding.EncodeToString(raw)
 	result = make([]string, 0, (len(response)/400)+1)
 	lastLen := 0
 	for len(response) > 0 {
 		// TODO once we require go 1.21, this can be: lastLen = min(len(response), 400)
@ -48,11 +48,11 @@ func EncodeSASLResponse(raw []byte) (result []string) {
 // Do not copy a SASLBuffer after first use.
 type SASLBuffer struct {
 	maxLength int
-	buf       []byte
+	buffer    strings.Builder
 }
 // NewSASLBuffer returns a new SASLBuffer. maxLength is the maximum amount of
-// data to buffer (0 for no limit).
+// base64'ed data to buffer (0 for no limit).
 func NewSASLBuffer(maxLength int) *SASLBuffer {
 	result := new(SASLBuffer)
 	result.Initialize(maxLength)
@ -69,43 +69,37 @@ func (b *SASLBuffer) Initialize(maxLength int) {
 // response along with any decoding or protocol errors detected.
 func (b *SASLBuffer) Add(value string) (done bool, output []byte, err error) {
 	if value == "+" {
-		// total size is a multiple of 400 (possibly 0)
+		output, err = b.getAndReset()
-		output = b.buf
+		return true, output, err
 		b.Clear()
 		return true, output, nil
 	}
 	if len(value) > 400 {
-		b.Clear()
+		b.buffer.Reset()
 		return true, nil, ErrSASLTooLong
 	}
-	curLen := len(b.buf)
+	if b.maxLength != 0 && (b.buffer.Len()+len(value)) > b.maxLength {
-	chunkDecodedLen := base64.StdEncoding.DecodedLen(len(value))
+		b.buffer.Reset()
 	if b.maxLength != 0 && (curLen+chunkDecodedLen) > b.maxLength {
 		b.Clear()
 		return true, nil, ErrSASLLimitExceeded
 	}
-	// "append-make pattern" as in the bytes.Buffer implementation:
+	b.buffer.WriteString(value)
 	b.buf = append(b.buf, make([]byte, chunkDecodedLen)...)
 	n, err := base64.StdEncoding.Decode(b.buf[curLen:], []byte(value))
 	b.buf = b.buf[0 : curLen+n]
 	if err != nil {
 		b.Clear()
 		return true, nil, err
 	}
 	if len(value) < 400 {
-		output = b.buf
+		output, err = b.getAndReset()
-		b.Clear()
+		return true, output, err
 		return true, output, nil
 	} else {
 		// 400 bytes, wait for continuation line or +
 		return false, nil, nil
 	}
 }
 // Clear resets the buffer state.
 func (b *SASLBuffer) Clear() {
-	// we can't reuse this buffer in general since we may have returned it
+	b.buffer.Reset()
-	b.buf = nil
+}
 func (b *SASLBuffer) getAndReset() (output []byte, err error) {
 	output, err = base64.StdEncoding.DecodeString(b.buffer.String())
 	b.buffer.Reset()
 	return
 }
--- a/vendor/github.com/ergochat/webpush-go/v2/.check-gofmt.sh
+++ b/vendor/github.com/ergochat/webpush-go/v2/.check-gofmt.sh
@ -1,13 +0,0 @@
 #!/bin/bash
 SOURCES="."
 if [ "$1" = "--fix" ]; then
 	exec gofmt -s -w $SOURCES
 fi
 if [ -n "$(gofmt -s -l $SOURCES)" ]; then
    echo "Go code is not formatted correctly with \`gofmt -s\`:"
    gofmt -s -d $SOURCES
    exit 1
 fi
--- a/vendor/github.com/ergochat/webpush-go/v2/.gitignore
+++ b/vendor/github.com/ergochat/webpush-go/v2/.gitignore
@ -1,6 +0,0 @@
 vendor/**
 .DS_Store
 *.out
 *.swp
--- a/vendor/github.com/ergochat/webpush-go/v2/CHANGELOG.md
+++ b/vendor/github.com/ergochat/webpush-go/v2/CHANGELOG.md
@ -1,14 +0,0 @@
 # Changelog
 All notable changes to webpush-go will be documented in this file.
 ## [2.0.0] - 2025-01-16
 * Update the `Keys` struct definition to store `Auth` as `[16]byte` and `P256dh` as `*ecdh.PublicKey`
    * `Keys` can no longer be compared with `==`; use `(*Keys.Equal)` instead
    * The JSON representation has not changed and is backwards and forwards compatible with v1
    * `DecodeSubscriptionKeys` is a helper to decode base64-encoded auth and p256dh parameters into a `Keys`, with validation
 * Update the `VAPIDKeys` struct to contain a `(*ecdsa.PrivateKey)`
    * `VAPIDKeys` can no longer be compared with `==`; use `(*VAPIDKeys).Equal` instead
    * The JSON representation is now a JSON string containing the PEM of the PKCS8-encoded private key
    * To parse the legacy representation (raw bytes of the private key encoded in base64), use `DecodeLegacyVAPIDPrivateKey`
 * Renamed `SendNotificationWithContext` to `SendNotification`, removing the earlier `SendNotification` API. (Pass `context.Background()` as the context to restore the former behavior.)
--- a/vendor/github.com/ergochat/webpush-go/v2/LICENSE
+++ b/vendor/github.com/ergochat/webpush-go/v2/LICENSE
@ -1,21 +0,0 @@
 MIT License
 Copyright (c) 2016 Ethan Holmes
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
--- a/vendor/github.com/ergochat/webpush-go/v2/Makefile
+++ b/vendor/github.com/ergochat/webpush-go/v2/Makefile
@ -1,6 +0,0 @@
 .PHONY: test
 test:
 	go test .
 	go vet .
 	./.check-gofmt.sh
--- a/vendor/github.com/ergochat/webpush-go/v2/README.md
+++ b/vendor/github.com/ergochat/webpush-go/v2/README.md
@ -1,65 +0,0 @@
 # webpush-go
 [![GoDoc](https://godoc.org/github.com/ergochat/webpush-go?status.svg)](https://godoc.org/github.com/ergochat/webpush-go)
 Web Push API Encryption with VAPID support.
 This library is a fork of [SherClockHolmes/webpush-go](https://github.com/SherClockHolmes/webpush-go). See CHANGELOG.md for details on migrating from the upstream library.
 ```bash
 go get -u github.com/ergochat/webpush-go/v2
 ```
 ## Example
 For a full example, refer to the code in the [example](example/) directory.
 ```go
 package main
 import (
 	"encoding/json"
 	webpush "github.com/ergochat/webpush-go/v2"
 )
 func main() {
 	// Decode subscription
 	s := &webpush.Subscription{}
 	json.Unmarshal([]byte("<YOUR_SUBSCRIPTION>"), s)
 	vapidKeys := new(webpush.VAPIDKeys)
 	json.Unmarshal([]byte("<YOUR_VAPID_KEYS">), vapidKeys)
 	// Send Notification
 	resp, err := webpush.SendNotification([]byte("Test"), s, &webpush.Options{
 		Subscriber:      "example@example.com",
 		VAPIDKeys:       vapidKeys,
 		TTL:             3600, // seconds
 	})
 	if err != nil {
 		// TODO: Handle error
 	}
 	defer resp.Body.Close()
 }
 ```
 ### Generating VAPID Keys
 Use the helper method `GenerateVAPIDKeys` to generate the VAPID key pair.
 ```golang
 vapidKeys, err := webpush.GenerateVAPIDKeys()
 if err != nil {
 	// TODO: Handle error
 }
 ```
 ## Development
 1. Install [Go 1.20+](https://golang.org/)
 2. `go mod vendor`
 3. `go test`
 #### For other language implementations visit:
 [WebPush Libs](https://github.com/web-push-libs)
--- a/vendor/github.com/ergochat/webpush-go/v2/legacy.go
+++ b/vendor/github.com/ergochat/webpush-go/v2/legacy.go
@ -1,76 +0,0 @@
 package webpush
 import (
 	"crypto/ecdh"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"encoding/base64"
 	"fmt"
 	"math/big"
 )
 // ecdhPublicKeyToECDSA converts an ECDH key to an ECDSA key.
 // This is deprecated as per https://github.com/golang/go/issues/63963
 // but we need to do it in order to parse the legacy private key format.
 func ecdhPublicKeyToECDSA(key *ecdh.PublicKey) (*ecdsa.PublicKey, error) {
 	rawKey := key.Bytes()
 	switch key.Curve() {
 	case ecdh.P256():
 		return &ecdsa.PublicKey{
 			Curve: elliptic.P256(),
 			X:     big.NewInt(0).SetBytes(rawKey[1:33]),
 			Y:     big.NewInt(0).SetBytes(rawKey[33:]),
 		}, nil
 	case ecdh.P384():
 		return &ecdsa.PublicKey{
 			Curve: elliptic.P384(),
 			X:     big.NewInt(0).SetBytes(rawKey[1:49]),
 			Y:     big.NewInt(0).SetBytes(rawKey[49:]),
 		}, nil
 	case ecdh.P521():
 		return &ecdsa.PublicKey{
 			Curve: elliptic.P521(),
 			X:     big.NewInt(0).SetBytes(rawKey[1:67]),
 			Y:     big.NewInt(0).SetBytes(rawKey[67:]),
 		}, nil
 	default:
 		return nil, fmt.Errorf("cannot convert non-NIST *ecdh.PublicKey to *ecdsa.PublicKey")
 	}
 }
 func ecdhPrivateKeyToECDSA(key *ecdh.PrivateKey) (*ecdsa.PrivateKey, error) {
 	// see https://github.com/golang/go/issues/63963
 	pubKey, err := ecdhPublicKeyToECDSA(key.PublicKey())
 	if err != nil {
 		return nil, fmt.Errorf("converting PublicKey part of *ecdh.PrivateKey: %w", err)
 	}
 	return &ecdsa.PrivateKey{
 		PublicKey: *pubKey,
 		D:         big.NewInt(0).SetBytes(key.Bytes()),
 	}, nil
 }
 // DecodeLegacyVAPIDPrivateKey decodes the legacy string private key format
 // returned by GenerateVAPIDKeys in v1.
 func DecodeLegacyVAPIDPrivateKey(key string) (*VAPIDKeys, error) {
 	bytes, err := decodeSubscriptionKey(key)
 	if err != nil {
 		return nil, err
 	}
 	ecdhPrivKey, err := ecdh.P256().NewPrivateKey(bytes)
 	if err != nil {
 		return nil, err
 	}
 	ecdsaPrivKey, err := ecdhPrivateKeyToECDSA(ecdhPrivKey)
 	if err != nil {
 		return nil, err
 	}
 	publicKey := base64.RawURLEncoding.EncodeToString(ecdhPrivKey.PublicKey().Bytes())
 	return &VAPIDKeys{
 		privateKey: ecdsaPrivKey,
 		publicKey:  publicKey,
 	}, nil
 }
--- a/vendor/github.com/ergochat/webpush-go/v2/urgency.go
+++ b/vendor/github.com/ergochat/webpush-go/v2/urgency.go
@ -1,26 +0,0 @@
 package webpush
 // Urgency indicates to the push service how important a message is to the user.
 // This can be used by the push service to help conserve the battery life of a user's device
 // by only waking up for important messages when battery is low.
 type Urgency string
 const (
 	// UrgencyVeryLow requires device state: on power and Wi-Fi
 	UrgencyVeryLow Urgency = "very-low"
 	// UrgencyLow requires device state: on either power or Wi-Fi
 	UrgencyLow Urgency = "low"
 	// UrgencyNormal excludes device state: low battery
 	UrgencyNormal Urgency = "normal"
 	// UrgencyHigh admits device state: low battery
 	UrgencyHigh Urgency = "high"
 )
 // Checking allowable values for the urgency header
 func isValidUrgency(urgency Urgency) bool {
 	switch urgency {
 	case UrgencyVeryLow, UrgencyLow, UrgencyNormal, UrgencyHigh:
 		return true
 	}
 	return false
 }
--- a/vendor/github.com/ergochat/webpush-go/v2/vapid.go
+++ b/vendor/github.com/ergochat/webpush-go/v2/vapid.go
@ -1,177 +0,0 @@
 package webpush
 import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
 	"net/url"
 	"strings"
 	"time"
 	jwt "github.com/golang-jwt/jwt/v5"
 )
 // VAPIDKeys is a public-private keypair for use in VAPID.
 // It marshals to a JSON string containing the PEM of the PKCS8
 // of the private key.
 type VAPIDKeys struct {
 	privateKey *ecdsa.PrivateKey
 	publicKey  string // raw bytes encoding in urlsafe base64, as per RFC
 }
 // PublicKeyString returns the base64url-encoded uncompressed public key of the keypair,
 // as defined in RFC8292.
 func (v *VAPIDKeys) PublicKeyString() string {
 	return v.publicKey
 }
 // PrivateKey returns the private key of the keypair.
 func (v *VAPIDKeys) PrivateKey() *ecdsa.PrivateKey {
 	return v.privateKey
 }
 // Equal compares two VAPIDKeys for equality.
 func (v *VAPIDKeys) Equal(o *VAPIDKeys) bool {
 	return v.privateKey.Equal(o.privateKey)
 }
 var _ json.Marshaler = (*VAPIDKeys)(nil)
 var _ json.Unmarshaler = (*VAPIDKeys)(nil)
 // MarshalJSON implements json.Marshaler, allowing serialization to JSON.
 func (v *VAPIDKeys) MarshalJSON() ([]byte, error) {
 	pkcs8bytes, err := x509.MarshalPKCS8PrivateKey(v.privateKey)
 	if err != nil {
 		return nil, err
 	}
 	pemBlock := pem.Block{
 		Type:  "PRIVATE KEY",
 		Bytes: pkcs8bytes,
 	}
 	pemBytes := pem.EncodeToMemory(&pemBlock)
 	if pemBytes == nil {
 		return nil, fmt.Errorf("could not encode VAPID keys as PEM")
 	}
 	return json.Marshal(string(pemBytes))
 }
 // MarshalJSON implements json.Unmarshaler, allowing deserialization from JSON.
 func (v *VAPIDKeys) UnmarshalJSON(b []byte) error {
 	var pemKey string
 	if err := json.Unmarshal(b, &pemKey); err != nil {
 		return err
 	}
 	pemBlock, _ := pem.Decode([]byte(pemKey))
 	if pemBlock == nil {
 		return fmt.Errorf("could not decode PEM block with VAPID keys")
 	}
 	privKey, err := x509.ParsePKCS8PrivateKey(pemBlock.Bytes)
 	if err != nil {
 		return err
 	}
 	privateKey, ok := privKey.(*ecdsa.PrivateKey)
 	if !ok {
 		return fmt.Errorf("Invalid type of private key %T", privateKey)
 	}
 	if privateKey.Curve != elliptic.P256() {
 		return fmt.Errorf("Invalid curve for private key %v", privateKey.Curve)
 	}
 	publicKeyStr, err := makePublicKeyString(privateKey)
 	if err != nil {
 		return err // should not be possible since we confirmed P256 already
 	}
 	// success
 	v.privateKey = privateKey
 	v.publicKey = publicKeyStr
 	return nil
 }
 // GenerateVAPIDKeys generates a VAPID keypair (an ECDSA keypair on
 // the P-256 curve).
 func GenerateVAPIDKeys() (result *VAPIDKeys, err error) {
 	private, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		return
 	}
 	pubKeyECDH, err := private.PublicKey.ECDH()
 	if err != nil {
 		return
 	}
 	publicKey := base64.RawURLEncoding.EncodeToString(pubKeyECDH.Bytes())
 	return &VAPIDKeys{
 		privateKey: private,
 		publicKey:  publicKey,
 	}, nil
 }
 // ECDSAToVAPIDKeys wraps an existing ecdsa.PrivateKey in VAPIDKeys for use in
 // VAPID header signing.
 func ECDSAToVAPIDKeys(privKey *ecdsa.PrivateKey) (result *VAPIDKeys, err error) {
 	if privKey.Curve != elliptic.P256() {
 		return nil, fmt.Errorf("Invalid curve for private key %v", privKey.Curve)
 	}
 	publicKeyString, err := makePublicKeyString(privKey)
 	if err != nil {
 		return nil, err
 	}
 	return &VAPIDKeys{
 		privateKey: privKey,
 		publicKey:  publicKeyString,
 	}, nil
 }
 func makePublicKeyString(privKey *ecdsa.PrivateKey) (result string, err error) {
 	// to get the raw bytes we have to convert the public key to *ecdh.PublicKey
 	// this type assertion (from the crypto.PublicKey returned by (*ecdsa.PrivateKey).Public()
 	// to *ecdsa.PublicKey) cannot fail:
 	publicKey, err := privKey.Public().(*ecdsa.PublicKey).ECDH()
 	if err != nil {
 		return // should not be possible if we confirmed P256 already
 	}
 	return base64.RawURLEncoding.EncodeToString(publicKey.Bytes()), nil
 }
 // getVAPIDAuthorizationHeader
 func getVAPIDAuthorizationHeader(
 	endpoint string,
 	subscriber string,
 	vapidKeys *VAPIDKeys,
 	expiration time.Time,
 ) (string, error) {
 	if expiration.IsZero() {
 		expiration = time.Now().Add(time.Hour * 12)
 	}
 	// Create the JWT token
 	subURL, err := url.Parse(endpoint)
 	if err != nil {
 		return "", err
 	}
 	// Unless subscriber is an HTTPS URL, assume an e-mail address
 	if !strings.HasPrefix(subscriber, "https:") && !strings.HasPrefix(subscriber, "mailto:") {
 		subscriber = "mailto:" + subscriber
 	}
 	token := jwt.NewWithClaims(jwt.SigningMethodES256, jwt.MapClaims{
 		"aud": subURL.Scheme + "://" + subURL.Host,
 		"exp": expiration.Unix(),
 		"sub": subscriber,
 	})
 	// Sign token with private key
 	jwtString, err := token.SignedString(vapidKeys.privateKey)
 	if err != nil {
 		return "", err
 	}
 	return "vapid t=" + jwtString + ", k=" + vapidKeys.publicKey, nil
 }
--- a/vendor/github.com/ergochat/webpush-go/v2/webpush.go
+++ b/vendor/github.com/ergochat/webpush-go/v2/webpush.go
@ -1,323 +0,0 @@
 package webpush
 import (
 	"bytes"
 	"context"
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/ecdh"
 	"crypto/rand"
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/binary"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"net/http"
 	"strconv"
 	"strings"
 	"time"
 	"golang.org/x/crypto/hkdf"
 )
 const MaxRecordSize uint32 = 4096
 var (
 	ErrRecordSizeTooSmall = errors.New("record size too small for message")
 	invalidAuthKeyLength = errors.New("invalid auth key length (must be 16)")
 	defaultHTTPClient HTTPClient = &http.Client{}
 )
 // HTTPClient is an interface for sending the notification HTTP request / testing
 type HTTPClient interface {
 	Do(*http.Request) (*http.Response, error)
 }
 // Options are config and extra params needed to send a notification
 type Options struct {
 	HTTPClient      HTTPClient // Will replace with *http.Client by default if not included
 	RecordSize      uint32     // Limit the record size
 	Subscriber      string     // Sub in VAPID JWT token
 	Topic           string     // Set the Topic header to collapse a pending messages (Optional)
 	TTL             int        // Set the TTL on the endpoint POST request, in seconds
 	Urgency         Urgency    // Set the Urgency header to change a message priority (Optional)
 	VAPIDKeys       *VAPIDKeys // VAPID public-private keypair to generate the VAPID Authorization header
 	VapidExpiration time.Time  // optional expiration for VAPID JWT token (defaults to now + 12 hours)
 }
 // Keys represents a subscription's keys (its ECDH public key on the P-256 curve
 // and its 16-byte authentication secret).
 type Keys struct {
 	Auth   [16]byte
 	P256dh *ecdh.PublicKey
 }
 // Equal compares two Keys for equality.
 func (k *Keys) Equal(o Keys) bool {
 	return k.Auth == o.Auth && k.P256dh.Equal(o.P256dh)
 }
 var _ json.Marshaler = (*Keys)(nil)
 var _ json.Unmarshaler = (*Keys)(nil)
 type marshaledKeys struct {
 	Auth   string `json:"auth"`
 	P256dh string `json:"p256dh"`
 }
 // MarshalJSON implements json.Marshaler, allowing serialization to JSON.
 func (k *Keys) MarshalJSON() ([]byte, error) {
 	m := marshaledKeys{
 		Auth:   base64.RawStdEncoding.EncodeToString(k.Auth[:]),
 		P256dh: base64.RawStdEncoding.EncodeToString(k.P256dh.Bytes()),
 	}
 	return json.Marshal(&m)
 }
 // MarshalJSON implements json.Unmarshaler, allowing deserialization from JSON.
 func (k *Keys) UnmarshalJSON(b []byte) (err error) {
 	var m marshaledKeys
 	if err := json.Unmarshal(b, &m); err != nil {
 		return err
 	}
 	authBytes, err := decodeSubscriptionKey(m.Auth)
 	if err != nil {
 		return err
 	}
 	if len(authBytes) != 16 {
 		return fmt.Errorf("invalid auth bytes length %d (must be 16)", len(authBytes))
 	}
 	copy(k.Auth[:], authBytes)
 	rawDHKey, err := decodeSubscriptionKey(m.P256dh)
 	if err != nil {
 		return err
 	}
 	k.P256dh, err = ecdh.P256().NewPublicKey(rawDHKey)
 	return err
 }
 // DecodeSubscriptionKeys decodes and validates a base64-encoded pair of subscription keys
 // (the authentication secret and ECDH public key).
 func DecodeSubscriptionKeys(auth, p256dh string) (keys Keys, err error) {
 	authBytes, err := decodeSubscriptionKey(auth)
 	if err != nil {
 		return
 	}
 	if len(authBytes) != 16 {
 		err = invalidAuthKeyLength
 		return
 	}
 	copy(keys.Auth[:], authBytes)
 	dhBytes, err := decodeSubscriptionKey(p256dh)
 	if err != nil {
 		return
 	}
 	keys.P256dh, err = ecdh.P256().NewPublicKey(dhBytes)
 	if err != nil {
 		return
 	}
 	return
 }
 // Subscription represents a PushSubscription object from the Push API
 type Subscription struct {
 	Endpoint string `json:"endpoint"`
 	Keys     Keys   `json:"keys"`
 }
 // SendNotification sends a push notification to a subscription's endpoint,
 // applying encryption (RFC 8291) and adding a VAPID header (RFC 8292).
 func SendNotification(ctx context.Context, message []byte, s *Subscription, options *Options) (*http.Response, error) {
 	// Compose message body (RFC8291 encryption of the message)
 	body, err := EncryptNotification(message, s.Keys, options.RecordSize)
 	if err != nil {
 		return nil, err
 	}
 	// Get VAPID Authorization header
 	vapidAuthHeader, err := getVAPIDAuthorizationHeader(
 		s.Endpoint,
 		options.Subscriber,
 		options.VAPIDKeys,
 		options.VapidExpiration,
 	)
 	if err != nil {
 		return nil, err
 	}
 	// Compose and send the HTTP request
 	return sendNotification(ctx, s.Endpoint, options, vapidAuthHeader, body)
 }
 // EncryptNotification implements the encryption algorithm specified by RFC 8291 for web push
 // (RFC 8188's aes128gcm content-encoding, with the key material derived from
 // elliptic curve Diffie-Hellman over the P-256 curve).
 func EncryptNotification(message []byte, keys Keys, recordSize uint32) ([]byte, error) {
 	// Get the record size
 	if recordSize == 0 {
 		recordSize = MaxRecordSize
 	} else if recordSize < 128 {
 		return nil, ErrRecordSizeTooSmall
 	}
 	// Allocate buffer to hold the eventual message
 	// [ header block ] [ ciphertext ] [ 16 byte AEAD tag ], totaling RecordSize bytes
 	// the ciphertext is the encryption of: [ message ] [ \x02 ] [ 0 or more \x00 as needed ]
 	recordBuf := make([]byte, recordSize)
 	// remainingBuf tracks our current writing position in recordBuf:
 	remainingBuf := recordBuf
 	// Application server key pairs (single use)
 	localPrivateKey, err := ecdh.P256().GenerateKey(rand.Reader)
 	if err != nil {
 		return nil, err
 	}
 	localPublicKey := localPrivateKey.PublicKey()
 	// Encryption Content-Coding Header
 	// +-----------+--------+-----------+---------------+
 	// | salt (16) | rs (4) | idlen (1) | keyid (idlen) |
 	// +-----------+--------+-----------+---------------+
 	// in our case the keyid is localPublicKey.Bytes(), so 65 bytes
 	// First, generate the salt
 	_, err = rand.Read(remainingBuf[:16])
 	if err != nil {
 		return nil, err
 	}
 	salt := remainingBuf[:16]
 	remainingBuf = remainingBuf[16:]
 	binary.BigEndian.PutUint32(remainingBuf[:], recordSize)
 	remainingBuf = remainingBuf[4:]
 	localPublicKeyBytes := localPublicKey.Bytes()
 	remainingBuf[0] = byte(len(localPublicKeyBytes))
 	remainingBuf = remainingBuf[1:]
 	copy(remainingBuf[:], localPublicKeyBytes)
 	remainingBuf = remainingBuf[len(localPublicKeyBytes):]
 	// Combine application keys with receiver's EC public key to derive ECDH shared secret
 	sharedECDHSecret, err := localPrivateKey.ECDH(keys.P256dh)
 	if err != nil {
 		return nil, fmt.Errorf("deriving shared secret: %w", err)
 	}
 	// ikm
 	prkInfoBuf := bytes.NewBuffer([]byte("WebPush: info\x00"))
 	prkInfoBuf.Write(keys.P256dh.Bytes())
 	prkInfoBuf.Write(localPublicKey.Bytes())
 	prkHKDF := hkdf.New(sha256.New, sharedECDHSecret, keys.Auth[:], prkInfoBuf.Bytes())
 	ikm, err := getHKDFKey(prkHKDF, 32)
 	if err != nil {
 		return nil, err
 	}
 	// Derive Content Encryption Key
 	contentEncryptionKeyInfo := []byte("Content-Encoding: aes128gcm\x00")
 	contentHKDF := hkdf.New(sha256.New, ikm, salt, contentEncryptionKeyInfo)
 	contentEncryptionKey, err := getHKDFKey(contentHKDF, 16)
 	if err != nil {
 		return nil, err
 	}
 	// Derive the Nonce
 	nonceInfo := []byte("Content-Encoding: nonce\x00")
 	nonceHKDF := hkdf.New(sha256.New, ikm, salt, nonceInfo)
 	nonce, err := getHKDFKey(nonceHKDF, 12)
 	if err != nil {
 		return nil, err
 	}
 	// Cipher
 	c, err := aes.NewCipher(contentEncryptionKey)
 	if err != nil {
 		return nil, err
 	}
 	gcm, err := cipher.NewGCM(c)
 	if err != nil {
 		return nil, err
 	}
 	// need 1 byte for the 0x02 delimiter, 16 bytes for the AEAD tag
 	if len(remainingBuf) < len(message)+17 {
 		return nil, ErrRecordSizeTooSmall
 	}
 	// Copy the message plaintext into the buffer
 	copy(remainingBuf[:], message[:])
 	// The plaintext to be encrypted will include the padding delimiter and the padding;
 	// cut off the final 16 bytes that are reserved for the AEAD tag
 	plaintext := remainingBuf[:len(remainingBuf)-16]
 	remainingBuf = remainingBuf[len(message):]
 	// Add padding delimiter
 	remainingBuf[0] = '\x02'
 	remainingBuf = remainingBuf[1:]
 	// The rest of the buffer is already zero-padded
 	// Encipher the plaintext in place, then add the AEAD tag at the end.
 	// "To reuse plaintext's storage for the encrypted output, use plaintext[:0]
 	// as dst. Otherwise, the remaining capacity of dst must not overlap plaintext."
 	gcm.Seal(plaintext[:0], nonce, plaintext, nil)
 	return recordBuf, nil
 }
 func sendNotification(ctx context.Context, endpoint string, options *Options, vapidAuthHeader string, body []byte) (*http.Response, error) {
 	// POST request
 	req, err := http.NewRequest("POST", endpoint, bytes.NewBuffer(body))
 	if err != nil {
 		return nil, err
 	}
 	if ctx != nil {
 		req = req.WithContext(ctx)
 	}
 	req.Header.Set("Content-Encoding", "aes128gcm")
 	req.Header.Set("Content-Type", "application/octet-stream")
 	req.Header.Set("TTL", strconv.Itoa(options.TTL))
 	// Сheck the optional headers
 	if len(options.Topic) > 0 {
 		req.Header.Set("Topic", options.Topic)
 	}
 	if isValidUrgency(options.Urgency) {
 		req.Header.Set("Urgency", string(options.Urgency))
 	}
 	req.Header.Set("Authorization", vapidAuthHeader)
 	// Send the request
 	var client HTTPClient
 	if options.HTTPClient != nil {
 		client = options.HTTPClient
 	} else {
 		client = defaultHTTPClient
 	}
 	return client.Do(req)
 }
 // decodeSubscriptionKey decodes a base64 subscription key.
 func decodeSubscriptionKey(key string) ([]byte, error) {
 	key = strings.TrimRight(key, "=")
 	if strings.IndexByte(key, '+') != -1 || strings.IndexByte(key, '/') != -1 {
 		return base64.RawStdEncoding.DecodeString(key)
 	}
 	return base64.RawURLEncoding.DecodeString(key)
 }
 // Returns a key of length "length" given an hkdf function
 func getHKDFKey(hkdf io.Reader, length int) ([]byte, error) {
 	key := make([]byte, length)
 	n, err := io.ReadFull(hkdf, key)
 	if n != len(key) || err != nil {
 		return key, err
 	}
 	return key, nil
 }
--- a/vendor/github.com/golang-jwt/jwt/v5/README.md
+++ b/vendor/github.com/golang-jwt/jwt/v5/README.md
@ -10,11 +10,11 @@ implementation of [JSON Web
 Tokens](https://datatracker.ietf.org/doc/html/rfc7519).
 Starting with [v4.0.0](https://github.com/golang-jwt/jwt/releases/tag/v4.0.0)
-this project adds Go module support, but maintains backward compatibility with
+this project adds Go module support, but maintains backwards compatibility with
 older `v3.x.y` tags and upstream `github.com/dgrijalva/jwt-go`. See the
 [`MIGRATION_GUIDE.md`](./MIGRATION_GUIDE.md) for more information. Version
 v5.0.0 introduces major improvements to the validation of tokens, but is not
-entirely backward compatible. 
+entirely backwards compatible. 
 > After the original author of the library suggested migrating the maintenance
 > of `jwt-go`, a dedicated team of open source maintainers decided to clone the
@ -24,7 +24,7 @@ entirely backward compatible.
 **SECURITY NOTICE:** Some older versions of Go have a security issue in the
-crypto/elliptic. The recommendation is to upgrade to at least 1.15 See issue
+crypto/elliptic. Recommendation is to upgrade to at least 1.15 See issue
 [dgrijalva/jwt-go#216](https://github.com/dgrijalva/jwt-go/issues/216) for more
 detail.
@ -32,7 +32,7 @@ detail.
 what you
 expect](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/).
 This library attempts to make it easy to do the right thing by requiring key
-types to match the expected alg, but you should take the extra step to verify it in
+types match the expected alg, but you should take the extra step to verify it in
 your usage.  See the examples provided.
 ### Supported Go versions
@ -41,7 +41,7 @@ Our support of Go versions is aligned with Go's [version release
 policy](https://golang.org/doc/devel/release#policy). So we will support a major
 version of Go until there are two newer major releases. We no longer support
 building jwt-go with unsupported Go versions, as these contain security
-vulnerabilities that will not be fixed.
+vulnerabilities which will not be fixed.
 ## What the heck is a JWT?
@ -117,7 +117,7 @@ notable differences:
 This library is considered production ready.  Feedback and feature requests are
 appreciated.  The API should be considered stable.  There should be very few
-backward-incompatible changes outside of major version updates (and only with
+backwards-incompatible changes outside of major version updates (and only with
 good reason).
 This project uses [Semantic Versioning 2.0.0](http://semver.org).  Accepted pull
@ -125,8 +125,8 @@ requests will land on `main`.  Periodically, versions will be tagged from
 `main`.  You can find all the releases on [the project releases
 page](https://github.com/golang-jwt/jwt/releases).
-**BREAKING CHANGES:** A full list of breaking changes is available in
+**BREAKING CHANGES:*** A full list of breaking changes is available in
-`VERSION_HISTORY.md`.  See [`MIGRATION_GUIDE.md`](./MIGRATION_GUIDE.md) for more information on updating
+`VERSION_HISTORY.md`.  See `MIGRATION_GUIDE.md` for more information on updating
 your code.
 ## Extensions
--- a/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md
+++ b/vendor/github.com/golang-jwt/jwt/v5/SECURITY.md
@ -2,11 +2,11 @@
 ## Supported Versions
-As of November 2024 (and until this document is updated), the latest version `v5` is supported. In critical cases, we might supply back-ported patches for `v4`.
+As of February 2022 (and until this document is updated), the latest version `v4` is supported.
 ## Reporting a Vulnerability
-If you think you found a vulnerability, and even if you are not sure, please report it a [GitHub Security Advisory](https://github.com/golang-jwt/jwt/security/advisories/new). Please try be explicit, describe steps to reproduce the security issue with code example(s).
+If you think you found a vulnerability, and even if you are not sure, please report it to jwt-go-security@googlegroups.com or one of the other [golang-jwt maintainers](https://github.com/orgs/golang-jwt/people). Please try be explicit, describe steps to reproduce the security issue with code example(s).
 You will receive a response within a timely manner. If the issue is confirmed, we will do our best to release a patch as soon as possible given the complexity of the problem.
--- a/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go
+++ b/vendor/github.com/golang-jwt/jwt/v5/ecdsa.go
@ -62,7 +62,7 @@ func (m *SigningMethodECDSA) Verify(signingString string, sig []byte, key interf
 	case *ecdsa.PublicKey:
 		ecdsaKey = k
 	default:
-		return newError("ECDSA verify expects *ecdsa.PublicKey", ErrInvalidKeyType)
+		return newError("ECDSA verify expects *ecsda.PublicKey", ErrInvalidKeyType)
 	}
 	if len(sig) != 2*m.KeySize {
@ -96,7 +96,7 @@ func (m *SigningMethodECDSA) Sign(signingString string, key interface{}) ([]byte
 	case *ecdsa.PrivateKey:
 		ecdsaKey = k
 	default:
-		return nil, newError("ECDSA sign expects *ecdsa.PrivateKey", ErrInvalidKeyType)
+		return nil, newError("ECDSA sign expects *ecsda.PrivateKey", ErrInvalidKeyType)
 	}
 	// Create the hasher
--- a/vendor/github.com/golang-jwt/jwt/v5/hmac.go
+++ b/vendor/github.com/golang-jwt/jwt/v5/hmac.go
@ -91,7 +91,7 @@ func (m *SigningMethodHMAC) Verify(signingString string, sig []byte, key interfa
 func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) ([]byte, error) {
 	if keyBytes, ok := key.([]byte); ok {
 		if !m.Hash.Available() {
-			return nil, ErrHashUnavailable
+			return nil, newError("HMAC sign expects []byte", ErrInvalidKeyType)
 		}
 		hasher := hmac.New(m.Hash.New, keyBytes)
@ -100,5 +100,5 @@ func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) ([]byte,
 		return hasher.Sum(nil), nil
 	}
-	return nil, newError("HMAC sign expects []byte", ErrInvalidKeyType)
+	return nil, ErrInvalidKeyType
 }
--- a/vendor/github.com/golang-jwt/jwt/v5/parser.go
+++ b/vendor/github.com/golang-jwt/jwt/v5/parser.go
@ -8,8 +8,6 @@ import (
 	"strings"
 )
 const tokenDelimiter = "."
 type Parser struct {
 	// If populated, only these methods will be considered valid.
 	validMethods []string
@ -138,10 +136,9 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
 // It's only ever useful in cases where you know the signature is valid (since it has already
 // been or will be checked elsewhere in the stack) and you want to extract values from it.
 func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
-	var ok bool
+	parts = strings.Split(tokenString, ".")
-	parts, ok = splitToken(tokenString)
+	if len(parts) != 3 {
-	if !ok {
+		return nil, parts, newError("token contains an invalid number of segments", ErrTokenMalformed)
 		return nil, nil, newError("token contains an invalid number of segments", ErrTokenMalformed)
 	}
 	token = &Token{Raw: tokenString}
@ -199,33 +196,6 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
 	return token, parts, nil
 }
 // splitToken splits a token string into three parts: header, claims, and signature. It will only
 // return true if the token contains exactly two delimiters and three parts. In all other cases, it
 // will return nil parts and false.
 func splitToken(token string) ([]string, bool) {
 	parts := make([]string, 3)
 	header, remain, ok := strings.Cut(token, tokenDelimiter)
 	if !ok {
 		return nil, false
 	}
 	parts[0] = header
 	claims, remain, ok := strings.Cut(remain, tokenDelimiter)
 	if !ok {
 		return nil, false
 	}
 	parts[1] = claims
 	// One more cut to ensure the signature is the last part of the token and there are no more
 	// delimiters. This avoids an issue where malicious input could contain additional delimiters
 	// causing unecessary overhead parsing tokens.
 	signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
 	if unexpected {
 		return nil, false
 	}
 	parts[2] = signature
 	return parts, true
 }
 // DecodeSegment decodes a JWT specific base64url encoding. This function will
 // take into account whether the [Parser] is configured with additional options,
 // such as [WithStrictDecoding] or [WithPaddingAllowed].
--- a/vendor/github.com/tidwall/buntdb/buntdb.go
+++ b/vendor/github.com/tidwall/buntdb/buntdb.go
@ -10,7 +10,6 @@ import (
 	"fmt"
 	"io"
 	"os"
 	"runtime"
 	"sort"
 	"strconv"
 	"strings"
@ -62,8 +61,6 @@ var (
 	ErrTxIterating = errors.New("tx is iterating")
 )
 const useAbsEx = true
 // DB represents a collection of key-value pairs that persist on disk.
 // Transactions are used for all forms of data access to the DB.
 type DB struct {
@ -754,7 +751,7 @@ func (db *DB) Shrink() error {
 			return err
 		}
 		// Any failures below here are really bad. So just panic.
-		if err := renameFile(tmpname, fname); err != nil {
+		if err := os.Rename(tmpname, fname); err != nil {
 			panicErr(err)
 		}
 		db.file, err = os.OpenFile(fname, os.O_CREATE|os.O_RDWR, 0666)
@ -774,18 +771,6 @@ func panicErr(err error) error {
 	panic(fmt.Errorf("buntdb: %w", err))
 }
 func renameFile(src, dest string) error {
 	var err error
 	if err = os.Rename(src, dest); err != nil {
 		if runtime.GOOS == "windows" {
 			if err = os.Remove(dest); err == nil {
 				err = os.Rename(src, dest)
 			}
 		}
 	}
 	return err
 }
 // readLoad reads from the reader and loads commands into the database.
 // modTime is the modified time of the reader, should be no greater than
 // the current time.Now().
@ -910,35 +895,24 @@ func (db *DB) readLoad(rd io.Reader, modTime time.Time) (n int64, err error) {
 				return totalSize, ErrInvalid
 			}
 			if len(parts) == 5 {
-				arg := strings.ToLower(parts[3])
+				if strings.ToLower(parts[3]) != "ex" {
 				if arg != "ex" && arg != "ae" {
 					return totalSize, ErrInvalid
 				}
-				ex, err := strconv.ParseInt(parts[4], 10, 64)
+				ex, err := strconv.ParseUint(parts[4], 10, 64)
 				if err != nil {
 					return totalSize, err
 				}
 				var exat time.Time
 				now := time.Now()
 				if arg == "ex" {
 				dur := (time.Duration(ex) * time.Second) - now.Sub(modTime)
-					exat = now.Add(dur)
+				if dur > 0 {
 				} else {
 					exat = time.Unix(ex, 0)
 				}
 				if exat.After(now) {
 					db.insertIntoDatabase(&dbItem{
 						key: parts[1],
 						val: parts[2],
 						opts: &dbItemOpts{
 							ex:   true,
-							exat: exat,
+							exat: now.Add(dur),
 						},
 					})
 				} else {
 					db.deleteFromDatabase(&dbItem{
 						key: parts[1],
 					})
 				}
 			} else {
 				db.insertIntoDatabase(&dbItem{key: parts[1], val: parts[2]})
@ -1356,19 +1330,13 @@ func appendBulkString(buf []byte, s string) []byte {
 // writeSetTo writes an item as a single SET record to the a bufio Writer.
 func (dbi *dbItem) writeSetTo(buf []byte, now time.Time) []byte {
 	if dbi.opts != nil && dbi.opts.ex {
 		ex := dbi.opts.exat.Sub(now) / time.Second
 		buf = appendArray(buf, 5)
 		buf = appendBulkString(buf, "set")
 		buf = appendBulkString(buf, dbi.key)
 		buf = appendBulkString(buf, dbi.val)
 		if useAbsEx {
 			ex := dbi.opts.exat.Unix()
 			buf = appendBulkString(buf, "ae")
 			buf = appendBulkString(buf, strconv.FormatUint(uint64(ex), 10))
 		} else {
 			ex := dbi.opts.exat.Sub(now) / time.Second
 		buf = appendBulkString(buf, "ex")
 		buf = appendBulkString(buf, strconv.FormatUint(uint64(ex), 10))
 		}
 	} else {
 		buf = appendArray(buf, 3)
 		buf = appendBulkString(buf, "set")
@ -1654,9 +1622,6 @@ func (tx *Tx) scan(desc, gt, lt bool, index, start, stop string,
 	// wrap a btree specific iterator around the user-defined iterator.
 	iter := func(item interface{}) bool {
 		dbi := item.(*dbItem)
 		if dbi.expired() {
 			return true
 		}
 		return iterator(dbi.key, dbi.val)
 	}
 	var tr *btree.BTree
--- a/vendor/github.com/toorop/go-dkim/.gitignore
+++ b/vendor/github.com/toorop/go-dkim/.gitignore
@ -0,0 +1,24 @@
 # Compiled Object files, Static and Dynamic libs (Shared Objects)
 *.o
 *.a
 *.so
 # Folders
 _obj
 _test
 # Architecture specific extensions/prefixes
 *.[568vq]
 [568vq].out
 *.cgo1.go
 *.cgo2.c
 _cgo_defun.c
 _cgo_gotypes.go
 _cgo_export.*
 _testmain.go
 *.exe
 *.test
 *.prof
--- a/vendor/github.com/emersion/go-msgauth/LICENSE
+++ b/vendor/github.com/emersion/go-msgauth/LICENSE
@ -1,6 +1,6 @@
-MIT License
+The MIT License (MIT)
-Copyright (c) 2017 emersion
+Copyright (c) 2015 Stéphane Depierrepont
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@ -19,3 +19,4 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
--- a/vendor/github.com/toorop/go-dkim/README.md
+++ b/vendor/github.com/toorop/go-dkim/README.md
@ -0,0 +1,56 @@
 # go-dkim
 DKIM package for Golang
 [![GoDoc](https://godoc.org/github.com/toorop/go-dkim?status.svg)](https://godoc.org/github.com/toorop/go-dkim)
 ## Getting started
 ### Install
 ```
 	go get github.com/toorop/go-dkim
 ```
 Warning: you need to use Go 1.4.2-master or 1.4.3 (when it will be available)
 see https://github.com/golang/go/issues/10482 fro more info.
 ### Sign email
 ```go
 import (
 	dkim "github.com/toorop/go-dkim"
 )
 func main(){
 	// email is the email to sign (byte slice)
 	// privateKey the private key (pem encoded, byte slice )	
 	options := dkim.NewSigOptions()
 	options.PrivateKey = privateKey
 	options.Domain = "mydomain.tld"
 	options.Selector = "myselector"
 	options.SignatureExpireIn = 3600
 	options.BodyLength = 50
 	options.Headers = []string{"from", "date", "mime-version", "received", "received"}
 	options.AddSignatureTimestamp = true
 	options.Canonicalization = "relaxed/relaxed"
 	err := dkim.Sign(&email, options)
 	// handle err..
 	// And... that's it, 'email' is signed ! Amazing© !!!
 }
 ```
 ### Verify
 ```go
 import (
 	dkim "github.com/toorop/go-dkim"
 )
 func main(){
 	// email is the email to verify (byte slice)
 	status, err := Verify(&email)
 	// handle status, err (see godoc for status)
 }
 ```
 ## Todo
 - [ ] handle z tag (copied header fields used for diagnostic use)
--- a/vendor/github.com/toorop/go-dkim/dkim.go
+++ b/vendor/github.com/toorop/go-dkim/dkim.go
@ -0,0 +1,564 @@
 // Package dkim provides tools for signing and verify a email according to RFC 6376
 package dkim
 import (
 	"bytes"
 	"container/list"
 	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha1"
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/pem"
 	"hash"
 	"regexp"
 	"strings"
 	"time"
 )
 const (
 	CRLF                = "\r\n"
 	TAB                 = " "
 	FWS                 = CRLF + TAB
 	MaxHeaderLineLength = 70
 )
 type verifyOutput int
 const (
 	SUCCESS verifyOutput = 1 + iota
 	PERMFAIL
 	TEMPFAIL
 	NOTSIGNED
 	TESTINGSUCCESS
 	TESTINGPERMFAIL
 	TESTINGTEMPFAIL
 )
 // sigOptions represents signing options
 type SigOptions struct {
 	// DKIM version (default 1)
 	Version uint
 	// Private key used for signing (required)
 	PrivateKey []byte
 	// Domain (required)
 	Domain string
 	// Selector (required)
 	Selector string
 	// The Agent of User IDentifier
 	Auid string
 	// Message canonicalization (plain-text; OPTIONAL, default is
 	// "simple/simple").  This tag informs the Verifier of the type of
 	// canonicalization used to prepare the message for signing.
 	Canonicalization string
 	// The algorithm used to generate the signature
 	//"rsa-sha1" or "rsa-sha256"
 	Algo string
 	// Signed header fields
 	Headers []string
 	// Body length count( if set to 0 this tag is ommited in Dkim header)
 	BodyLength uint
 	// Query Methods used to retrieve the public key
 	QueryMethods []string
 	// Add a signature timestamp
 	AddSignatureTimestamp bool
 	// Time validity of the signature (0=never)
 	SignatureExpireIn uint64
 	// CopiedHeaderFileds
 	CopiedHeaderFields []string
 }
 // NewSigOptions returns new sigoption with some defaults value
 func NewSigOptions() SigOptions {
 	return SigOptions{
 		Version:               1,
 		Canonicalization:      "simple/simple",
 		Algo:                  "rsa-sha256",
 		Headers:               []string{"from"},
 		BodyLength:            0,
 		QueryMethods:          []string{"dns/txt"},
 		AddSignatureTimestamp: true,
 		SignatureExpireIn:     0,
 	}
 }
 // Sign signs an email
 func Sign(email *[]byte, options SigOptions) error {
 	var privateKey *rsa.PrivateKey
 	var err error
 	// PrivateKey
 	if len(options.PrivateKey) == 0 {
 		return ErrSignPrivateKeyRequired
 	}
 	d, _ := pem.Decode(options.PrivateKey)
 	if d == nil {
 		return ErrCandNotParsePrivateKey
 	}
 	// try to parse it as PKCS1 otherwise try PKCS8
 	if key, err := x509.ParsePKCS1PrivateKey(d.Bytes); err != nil {
 		if key, err := x509.ParsePKCS8PrivateKey(d.Bytes); err != nil {
 			return ErrCandNotParsePrivateKey
 		} else {
 			privateKey = key.(*rsa.PrivateKey)
 		}
 	} else {
 		privateKey = key
 	}
 	// Domain required
 	if options.Domain == "" {
 		return ErrSignDomainRequired
 	}
 	// Selector required
 	if options.Selector == "" {
 		return ErrSignSelectorRequired
 	}
 	// Canonicalization
 	options.Canonicalization, err = validateCanonicalization(strings.ToLower(options.Canonicalization))
 	if err != nil {
 		return err
 	}
 	// Algo
 	options.Algo = strings.ToLower(options.Algo)
 	if options.Algo != "rsa-sha1" && options.Algo != "rsa-sha256" {
 		return ErrSignBadAlgo
 	}
 	// Header must contain "from"
 	hasFrom := false
 	for i, h := range options.Headers {
 		h = strings.ToLower(h)
 		options.Headers[i] = h
 		if h == "from" {
 			hasFrom = true
 		}
 	}
 	if !hasFrom {
 		return ErrSignHeaderShouldContainsFrom
 	}
 	// Normalize
 	headers, body, err := canonicalize(email, options.Canonicalization, options.Headers)
 	if err != nil {
 		return err
 	}
 	signHash := strings.Split(options.Algo, "-")
 	// hash body
 	bodyHash, err := getBodyHash(&body, signHash[1], options.BodyLength)
 	if err != nil {
 		return err
 	}
 	// Get dkim header base
 	dkimHeader := newDkimHeaderBySigOptions(options)
 	dHeader := dkimHeader.getHeaderBaseForSigning(bodyHash)
 	canonicalizations := strings.Split(options.Canonicalization, "/")
 	dHeaderCanonicalized, err := canonicalizeHeader(dHeader, canonicalizations[0])
 	if err != nil {
 		return err
 	}
 	headers = append(headers, []byte(dHeaderCanonicalized)...)
 	headers = bytes.TrimRight(headers, " \r\n")
 	// sign
 	sig, err := getSignature(&headers, privateKey, signHash[1])
 	// add to DKIM-Header
 	subh := ""
 	l := len(subh)
 	for _, c := range sig {
 		subh += string(c)
 		l++
 		if l >= MaxHeaderLineLength {
 			dHeader += subh + FWS
 			subh = ""
 			l = 0
 		}
 	}
 	dHeader += subh + CRLF
 	*email = append([]byte(dHeader), *email...)
 	return nil
 }
 // Verify verifies an email an return
 // state: SUCCESS or PERMFAIL or TEMPFAIL, TESTINGSUCCESS, TESTINGPERMFAIL
 // TESTINGTEMPFAIL or NOTSIGNED
 // error: if an error occurs during verification
 func Verify(email *[]byte, opts ...DNSOpt) (verifyOutput, error) {
 	// parse email
 	dkimHeader, err := GetHeader(email)
 	if err != nil {
 		if err == ErrDkimHeaderNotFound {
 			return NOTSIGNED, ErrDkimHeaderNotFound
 		}
 		return PERMFAIL, err
 	}
 	// we do not set query method because if it's others, validation failed earlier
 	pubKey, verifyOutputOnError, err := NewPubKeyRespFromDNS(dkimHeader.Selector, dkimHeader.Domain, opts...)
 	if err != nil {
 		// fix https://github.com/toorop/go-dkim/issues/1
 		//return getVerifyOutput(verifyOutputOnError, err, pubKey.FlagTesting)
 		return verifyOutputOnError, err
 	}
 	// Normalize
 	headers, body, err := canonicalize(email, dkimHeader.MessageCanonicalization, dkimHeader.Headers)
 	if err != nil {
 		return getVerifyOutput(PERMFAIL, err, pubKey.FlagTesting)
 	}
 	sigHash := strings.Split(dkimHeader.Algorithm, "-")
 	// check if hash algo are compatible
 	compatible := false
 	for _, algo := range pubKey.HashAlgo {
 		if sigHash[1] == algo {
 			compatible = true
 			break
 		}
 	}
 	if !compatible {
 		return getVerifyOutput(PERMFAIL, ErrVerifyInappropriateHashAlgo, pubKey.FlagTesting)
 	}
 	// expired ?
 	if !dkimHeader.SignatureExpiration.IsZero() && dkimHeader.SignatureExpiration.Second() < time.Now().Second() {
 		return getVerifyOutput(PERMFAIL, ErrVerifySignatureHasExpired, pubKey.FlagTesting)
 	}
 	//println("|" + string(body) + "|")
 	// get body hash
 	bodyHash, err := getBodyHash(&body, sigHash[1], dkimHeader.BodyLength)
 	if err != nil {
 		return getVerifyOutput(PERMFAIL, err, pubKey.FlagTesting)
 	}
 	//println(bodyHash)
 	if bodyHash != dkimHeader.BodyHash {
 		return getVerifyOutput(PERMFAIL, ErrVerifyBodyHash, pubKey.FlagTesting)
 	}
 	// compute sig
 	dkimHeaderCano, err := canonicalizeHeader(dkimHeader.rawForSign, strings.Split(dkimHeader.MessageCanonicalization, "/")[0])
 	if err != nil {
 		return getVerifyOutput(TEMPFAIL, err, pubKey.FlagTesting)
 	}
 	toSignStr := string(headers) + dkimHeaderCano
 	toSign := bytes.TrimRight([]byte(toSignStr), " \r\n")
 	err = verifySignature(toSign, dkimHeader.SignatureData, &pubKey.PubKey, sigHash[1])
 	if err != nil {
 		return getVerifyOutput(PERMFAIL, err, pubKey.FlagTesting)
 	}
 	return SUCCESS, nil
 }
 // getVerifyOutput returns output of verify fct according to the testing flag
 func getVerifyOutput(status verifyOutput, err error, flagTesting bool) (verifyOutput, error) {
 	if !flagTesting {
 		return status, err
 	}
 	switch status {
 	case SUCCESS:
 		return TESTINGSUCCESS, err
 	case PERMFAIL:
 		return TESTINGPERMFAIL, err
 	case TEMPFAIL:
 		return TESTINGTEMPFAIL, err
 	}
 	// should never happen but compilator sream whithout return
 	return status, err
 }
 // canonicalize returns canonicalized version of header and body
 func canonicalize(email *[]byte, cano string, h []string) (headers, body []byte, err error) {
 	body = []byte{}
 	rxReduceWS := regexp.MustCompile(`[ \t]+`)
 	rawHeaders, rawBody, err := getHeadersBody(email)
 	if err != nil {
 		return nil, nil, err
 	}
 	canonicalizations := strings.Split(cano, "/")
 	// canonicalyze header
 	headersList, err := getHeadersList(&rawHeaders)
 	// pour chaque header a conserver on traverse tous les headers dispo
 	// If multi instance of a field we must keep it from the bottom to the top
 	var match *list.Element
 	headersToKeepList := list.New()
 	for _, headerToKeep := range h {
 		match = nil
 		headerToKeepToLower := strings.ToLower(headerToKeep)
 		for e := headersList.Front(); e != nil; e = e.Next() {
 			//fmt.Printf("|%s|\n", e.Value.(string))
 			t := strings.Split(e.Value.(string), ":")
 			if strings.ToLower(t[0]) == headerToKeepToLower {
 				match = e
 			}
 		}
 		if match != nil {
 			headersToKeepList.PushBack(match.Value.(string) + "\r\n")
 			headersList.Remove(match)
 		}
 	}
 	//if canonicalizations[0] == "simple" {
 	for e := headersToKeepList.Front(); e != nil; e = e.Next() {
 		cHeader, err := canonicalizeHeader(e.Value.(string), canonicalizations[0])
 		if err != nil {
 			return headers, body, err
 		}
 		headers = append(headers, []byte(cHeader)...)
 	}
 	// canonicalyze body
 	if canonicalizations[1] == "simple" {
 		// simple
 		// The "simple" body canonicalization algorithm ignores all empty lines
 		// at the end of the message body.  An empty line is a line of zero
 		// length after removal of the line terminator.  If there is no body or
 		// no trailing CRLF on the message body, a CRLF is added.  It makes no
 		// other changes to the message body.  In more formal terms, the
 		// "simple" body canonicalization algorithm converts "*CRLF" at the end
 		// of the body to a single "CRLF".
 		// Note that a completely empty or missing body is canonicalized as a
 		// single "CRLF"; that is, the canonicalized length will be 2 octets.
 		body = bytes.TrimRight(rawBody, "\r\n")
 		body = append(body, []byte{13, 10}...)
 	} else {
 		// relaxed
 		// Ignore all whitespace at the end of lines.  Implementations
 		// MUST NOT remove the CRLF at the end of the line.
 		// Reduce all sequences of WSP within a line to a single SP
 		// character.
 		// Ignore all empty lines at the end of the message body.  "Empty
 		// line" is defined in Section 3.4.3.  If the body is non-empty but
 		// does not end with a CRLF, a CRLF is added.  (For email, this is
 		// only possible when using extensions to SMTP or non-SMTP transport
 		// mechanisms.)
 		rawBody = rxReduceWS.ReplaceAll(rawBody, []byte(" "))
 		for _, line := range bytes.SplitAfter(rawBody, []byte{10}) {
 			line = bytes.TrimRight(line, " \r\n")
 			body = append(body, line...)
 			body = append(body, []byte{13, 10}...)
 		}
 		body = bytes.TrimRight(body, "\r\n")
 		body = append(body, []byte{13, 10}...)
 	}
 	return
 }
 // canonicalizeHeader returns canonicalized version of header
 func canonicalizeHeader(header string, algo string) (string, error) {
 	//rxReduceWS := regexp.MustCompile(`[ \t]+`)
 	if algo == "simple" {
 		// The "simple" header canonicalization algorithm does not change header
 		// fields in any way.  Header fields MUST be presented to the signing or
 		// verification algorithm exactly as they are in the message being
 		// signed or verified.  In particular, header field names MUST NOT be
 		// case folded and whitespace MUST NOT be changed.
 		return header, nil
 	} else if algo == "relaxed" {
 		// The "relaxed" header canonicalization algorithm MUST apply the
 		// following steps in order:
 		// Convert all header field names (not the header field values) to
 		// lowercase.  For example, convert "SUBJect: AbC" to "subject: AbC".
 		// Unfold all header field continuation lines as described in
 		// [RFC5322]; in particular, lines with terminators embedded in
 		// continued header field values (that is, CRLF sequences followed by
 		// WSP) MUST be interpreted without the CRLF.  Implementations MUST
 		// NOT remove the CRLF at the end of the header field value.
 		// Convert all sequences of one or more WSP characters to a single SP
 		// character.  WSP characters here include those before and after a
 		// line folding boundary.
 		// Delete all WSP characters at the end of each unfolded header field
 		// value.
 		// Delete any WSP characters remaining before and after the colon
 		// separating the header field name from the header field value.  The
 		// colon separator MUST be retained.
 		kv := strings.SplitN(header, ":", 2)
 		if len(kv) != 2 {
 			return header, ErrBadMailFormatHeaders
 		}
 		k := strings.ToLower(kv[0])
 		k = strings.TrimSpace(k)
 		v := removeFWS(kv[1])
 		//v = rxReduceWS.ReplaceAllString(v, " ")
 		//v = strings.TrimSpace(v)
 		return k + ":" + v + CRLF, nil
 	}
 	return header, ErrSignBadCanonicalization
 }
 // getBodyHash return the hash (bas64encoded) of the body
 func getBodyHash(body *[]byte, algo string, bodyLength uint) (string, error) {
 	var h hash.Hash
 	if algo == "sha1" {
 		h = sha1.New()
 	} else {
 		h = sha256.New()
 	}
 	toH := *body
 	// if l tag (body length)
 	if bodyLength != 0 {
 		if uint(len(toH)) < bodyLength {
 			return "", ErrBadDKimTagLBodyTooShort
 		}
 		toH = toH[0:bodyLength]
 	}
 	h.Write(toH)
 	return base64.StdEncoding.EncodeToString(h.Sum(nil)), nil
 }
 // getSignature return signature of toSign using key
 func getSignature(toSign *[]byte, key *rsa.PrivateKey, algo string) (string, error) {
 	var h1 hash.Hash
 	var h2 crypto.Hash
 	switch algo {
 	case "sha1":
 		h1 = sha1.New()
 		h2 = crypto.SHA1
 		break
 	case "sha256":
 		h1 = sha256.New()
 		h2 = crypto.SHA256
 		break
 	default:
 		return "", ErrVerifyInappropriateHashAlgo
 	}
 	// sign
 	h1.Write(*toSign)
 	sig, err := rsa.SignPKCS1v15(rand.Reader, key, h2, h1.Sum(nil))
 	if err != nil {
 		return "", err
 	}
 	return base64.StdEncoding.EncodeToString(sig), nil
 }
 // verifySignature verify signature from pubkey
 func verifySignature(toSign []byte, sig64 string, key *rsa.PublicKey, algo string) error {
 	var h1 hash.Hash
 	var h2 crypto.Hash
 	switch algo {
 	case "sha1":
 		h1 = sha1.New()
 		h2 = crypto.SHA1
 		break
 	case "sha256":
 		h1 = sha256.New()
 		h2 = crypto.SHA256
 		break
 	default:
 		return ErrVerifyInappropriateHashAlgo
 	}
 	h1.Write(toSign)
 	sig, err := base64.StdEncoding.DecodeString(sig64)
 	if err != nil {
 		return err
 	}
 	return rsa.VerifyPKCS1v15(key, h2, h1.Sum(nil), sig)
 }
 // removeFWS removes all FWS from string
 func removeFWS(in string) string {
 	rxReduceWS := regexp.MustCompile(`[ \t]+`)
 	out := strings.Replace(in, "\n", "", -1)
 	out = strings.Replace(out, "\r", "", -1)
 	out = rxReduceWS.ReplaceAllString(out, " ")
 	return strings.TrimSpace(out)
 }
 // validateCanonicalization validate canonicalization (c flag)
 func validateCanonicalization(cano string) (string, error) {
 	p := strings.Split(cano, "/")
 	if len(p) > 2 {
 		return "", ErrSignBadCanonicalization
 	}
 	if len(p) == 1 {
 		cano = cano + "/simple"
 	}
 	for _, c := range p {
 		if c != "simple" && c != "relaxed" {
 			return "", ErrSignBadCanonicalization
 		}
 	}
 	return cano, nil
 }
 // getHeadersList returns headers as list
 func getHeadersList(rawHeader *[]byte) (*list.List, error) {
 	headersList := list.New()
 	currentHeader := []byte{}
 	for _, line := range bytes.SplitAfter(*rawHeader, []byte{10}) {
 		if line[0] == 32 || line[0] == 9 {
 			if len(currentHeader) == 0 {
 				return headersList, ErrBadMailFormatHeaders
 			}
 			currentHeader = append(currentHeader, line...)
 		} else {
 			// New header, save current if exists
 			if len(currentHeader) != 0 {
 				headersList.PushBack(string(bytes.TrimRight(currentHeader, "\r\n")))
 				currentHeader = []byte{}
 			}
 			currentHeader = append(currentHeader, line...)
 		}
 	}
 	headersList.PushBack(string(currentHeader))
 	return headersList, nil
 }
 // getHeadersBody return headers and body
 func getHeadersBody(email *[]byte) ([]byte, []byte, error) {
 	substitutedEmail := *email
 	// only replace \n with \r\n when \r\n\r\n not exists
 	if bytes.Index(*email, []byte{13, 10, 13, 10}) < 0 {
 		// \n -> \r\n
 		substitutedEmail = bytes.Replace(*email, []byte{10}, []byte{13, 10}, -1)
 	}
 	parts := bytes.SplitN(substitutedEmail, []byte{13, 10, 13, 10}, 2)
 	if len(parts) != 2 {
 		return []byte{}, []byte{}, ErrBadMailFormat
 	}
 	// Empty body
 	if len(parts[1]) == 0 {
 		parts[1] = []byte{13, 10}
 	}
 	return parts[0], parts[1], nil
 }
--- a/Show More
+++ b/Show More
`@ -1,4 +1,4 @@`
	`//go:build !(plan9 \|\| solaris)`	`//go:build !plan9`

	`package flock`	`package flock`
`@ -1,4 +1,4 @@`
	`//go:build plan9 \|\| solaris`	`//go:build plan9`

	`package flock`	`package flock`
		`@ -1 +1 @@`
			`Subproject commit ccdacd990a09ac3cd3591613b8d7fee4301e08c8`				`Subproject commit af980ed3b639b5e1b3749c74027872adb69922a7`