1 files changed, 513 insertions, 272 deletions
diff --git a/pounce.1 b/pounce.1
index b61527a..e4919d2 100644
--- a/pounce.1
+++ b/pounce.1
@@ -1,4 +1,4 @@
-.Dd February 27, 2020
+.Dd July 16, 2023
 .Dt POUNCE 1
 .Os
 .
@@ -8,25 +8,29 @@
 .
 .Sh SYNOPSIS
 .Nm
-.Op Fl NTev
-.Op Fl A Ar cert
-.Op Fl C Ar cert
-.Op Fl H Ar host
-.Op Fl K Ar priv
-.Op Fl P Ar port
+.Op Fl LNTev
+.Op Fl A Ar local-ca
+.Op Fl C Ar local-cert
+.Op Fl H Ar local-host
+.Op Fl K Ar local-priv
+.Op Fl P Ar local-port
+.Op Fl Q Ar queue-interval
+.Op Fl R Ar blind-req
 .Op Fl S Ar bind
-.Op Fl U Ar unix
-.Op Fl W Ar pass
-.Op Fl a Ar auth
-.Op Fl c Ar cert
+.Op Fl U Ar local-path
+.Op Fl W Ar local-pass
+.Op Fl a Ar sasl-plain
+.Op Fl c Ar client-cert
 .Op Fl f Ar save
 .Op Fl h Ar host
 .Op Fl j Ar join
-.Op Fl k Ar priv
+.Op Fl k Ar client-priv
+.Op Fl m Ar mode
 .Op Fl n Ar nick
 .Op Fl p Ar port
 .Op Fl q Ar quit
 .Op Fl r Ar real
+.Op Fl t Ar trust
 .Op Fl s Ar size
 .Op Fl u Ar user
 .Op Fl w Ar pass
@@ -34,6 +38,13 @@
 .Op Ar config ...
 .
 .Nm
+.Fl o
+.Op Fl S Ar bind
+.Op Fl h Ar host
+.Op Fl p Ar port
+.Op Ar config ...
+.
+.Nm
 .Op Fl A Ar ca
 .Fl g Ar cert
 .
@@ -43,23 +54,79 @@
 .Sh DESCRIPTION
 The
 .Nm
-daemon
+program
 is a multi-client, TLS-only IRC bouncer.
 It maintains a persistent connection to an IRC server
 while allowing clients to connect and disconnect,
 receiving messages that were missed upon reconnection.
-Clients should use the IRCv3.2
+Clients must uniquely identify themselves to
+.Nm
+by their IRC username
+(not nickname).
+The IRCv3
 .Sy server-time
-extension
-to know when missed messages were received
-and uniquely identify themselves by username.
+extension is used to indicate
+when messages were originally received.
 See
 .Sx Client Configuration
 for details.
 .
 .Pp
+The local server portion of
+.Nm
+requires a TLS certificate,
+which can be obtained for example
+by an ACME client such as
+.Xr acme-client 8 .
+The private key
+must be made readable by
+the user running
+.Nm .
+.
+.Pp
+One instance of
+.Nm
+must be configured for each IRC network.
+Instances of
+.Nm
+must either use different local ports with
+.Cm local-port
+or different local host names with
+.Cm local-host
+and
+.Cm local-path
+to be dispatched from the same port by
+.Xr calico 1 .
+.
+.Pp
+Client connections are not accepted
+until successful login to the server.
+If the server connection is lost,
+the
+.Nm
+process exits.
+.
+.Pp
 Options can be loaded from
 files listed on the command line.
+Files are searched for in
+.Pa $XDG_CONFIG_DIRS/pounce
+.Po
+usually
+.Pa ~/.config/pounce
+.Pc
+unless the path starts with
+.Ql / ,
+.Ql \&./
+or
+.Ql \&../ .
+Certificate and private key paths
+are searched for in the same manner.
+Files and flags
+listed later on the command line
+take precedence over those listed earlier.
+.
+.Pp
 Each option is placed on a line,
 and lines beginning with
 .Ql #
@@ -67,75 +134,80 @@ are ignored.
 The options are listed below
 following their corresponding flags.
 .
-.Pp
-The arguments are as follows:
-.
+.Ss Local Server Options
 .Bl -tag -width Ds
-.It Fl A Ar path , Cm local-ca = Ar path
+.It Fl A Ar path | Cm local-ca No = Ar path
 Require clients to authenticate
 using a TLS client certificate
-signed by the certificate authority loaded from
+either contained in
+or signed by a certificate in
+the file loaded from
 .Ar path .
+The file is reloaded when the
+.Dv SIGUSR1
+signal is received.
 See
 .Sx Generating Client Certificates .
 If
-.Fl W
+.Cm local-pass
 is also set,
-clients may instead connect
+clients may instead authenticate
 with a server password.
 .
-.It Fl C Ar path , Cm local-cert = Ar path
+.It Fl C Ar path | Cm local-cert No = Ar path
 Load TLS certificate from
 .Ar path .
-The default path is the
-.Xr certbot 8
-path for the
+The file is reloaded when the
+.Dv SIGUSR1
+signal is received.
+The default path is
+.Ar host Ns .pem ,
+where
 .Ar host
-set by
-.Fl H .
+is set by
+.Cm local-host .
 .
-.It Fl H Ar host , Cm local-host = Ar host
+.It Fl H Ar host | Cm local-host No = Ar host
 Bind to
 .Ar host .
 The default host is localhost.
 .
-.It Fl K Ar path , Cm local-priv = Ar path
+.It Fl K Ar path | Cm local-priv No = Ar path
 Load TLS private key from
 .Ar path .
-The default path is the
-.Xr certbot 8
-path for the
+The file is reloaded when the
+.Dv SIGUSR1
+signal is received.
+The default path is
+.Ar host Ns .key ,
+where
 .Ar host
-set by
-.Fl H .
-.
-.It Fl N , Cm no-names
-Do not request
-.Ql NAMES
-for each channel when a client connects.
-This avoids already connected clients
-receiving unsolicited responses
-but prevents new clients from populating user lists.
-.
-.It Fl P Ar port , Cm local-port = Ar port
+is set by
+.Cm local-host .
+.
+.It Fl L | Cm palaver
+Advertise the
+.Sy palaverapp.com
+IRCv3 vendor-specific capability to clients.
+This option only enables the capability;
+push notifications must be provided by the
+.Xr pounce-palaver 1
+special-purpose client.
+.
+.It Fl P Ar port | Cm local-port No = Ar port
 Bind to
 .Ar port .
 The default port is 6697.
 .
-.It Fl S Ar host , Cm bind = Ar host
-Bind to source address
-.Ar host
-when connecting to the server.
-.
-.It Fl T
+.It Fl T | Cm no-sts
 Do not advertise a
 strict transport security (STS) policy
 to clients.
 .
-.It Fl U Ar path , Cm local-path = Ar path
+.It Fl U Ar path | Cm local-path No = Ar path
 Bind to a UNIX-domain socket at
 .Ar path .
-Clients are accepted as sent by
+Clients are only accepted as dispatched by
 .Xr calico 1 .
 If
 .Ar path
@@ -143,14 +215,14 @@ is a directory,
 the
 .Ar host
 set by
-.Fl H
+.Cm local-host
 is appended to it.
 This option takes precedence over
-.Fl H
+.Cm local-host
 and
-.Fl P .
+.Cm local-port .
 .
-.It Fl W Ar pass , Cm local-pass = Ar pass
+.It Fl W Ar pass | Cm local-pass No = Ar pass
 Require the server password
 .Ar pass
 for clients to connect.
@@ -159,12 +231,80 @@ The
 string must be hashed using
 .Fl x .
 If
-.Fl A
+.Cm local-ca
 is also set,
-clients may instead connect
+clients may instead authenticate
 using a TLS client certificate.
 .
-.It Fl a Ar user : Ns Ar pass , Cm sasl-plain = Ar user : Ns Ar pass
+.It Fl f Ar path | Cm save No = Ar path
+Save and load the contents of the buffer from
+.Ar path
+in
+.Pa $XDG_DATA_DIRS/pounce ,
+usually
+.Pa ~/.local/share/pounce ,
+or an absolute or relative path if
+.Ar path
+starts with
+.Ql / ,
+.Ql \&./
+or
+.Ql \&../ .
+The file is truncated after loading.
+.
+.It Fl s Ar size | Cm size No = Ar size
+Set the number of messages contained in the buffer to
+.Ar size .
+This sets the maximum number
+of recent messages
+which can be relayed
+to a reconnecting client.
+The size must be a power of two.
+The default size is 4096.
+.El
+.
+.Ss Remote Server Options
+.Bl -tag -width Ds
+.It Fl N | Cm no-names
+Do not request
+.Ql NAMES
+for each channel when a client connects.
+This avoids already connected clients
+receiving unsolicited responses
+but prevents new clients from populating user lists.
+.
+.It Fl Q Ar ms | Cm queue-interval No = Ar ms
+Set the server send queue interval in milliseconds.
+The queue is used
+to send automated messages from
+.Nm
+to the server.
+Messages from clients
+are sent to the server directly.
+The default interval is 200 milliseconds.
+.
+.It Fl R Ar caps | Cm blind-req No = Ar caps
+Blindly request the IRCv3 capabilities
+.Ar caps ,
+which must be supported by
+.Nm .
+This can be used to enable hidden capabilities,
+such as
+.Sy userhost-in-names
+on some networks.
+.
+.It Fl S Ar host | Cm bind No = Ar host
+Bind to source address
+.Ar host
+when connecting to the server.
+To connect from any address
+over IPv4 only,
+use 0.0.0.0.
+To connect from any address
+over IPv6 only,
+use ::.
+.
+.It Fl a Ar user : Ns Ar pass | Cm sasl-plain No = Ar user : Ns Ar pass
 Authenticate as
 .Ar user
 with
@@ -172,147 +312,148 @@ with
 using SASL PLAIN.
 Since this method requires
 the account password in plaintext,
-it is recommended to use SASL EXTERNAL instead with
-.Fl e .
+it is recommended to use CertFP instead with
+.Cm sasl-external .
 .
-.It Fl c Ar path , Cm client-cert = Ar path
+.It Fl c Ar path | Cm client-cert No = Ar path
 Load the TLS client certificate from
 .Ar path .
 If the private key is in a separate file,
 it is loaded with
-.Fl k .
+.Cm client-priv .
 With
-.Fl e ,
+.Cm sasl-external ,
 authenticate using SASL EXTERNAL.
 Certificates can be generated with
 .Fl g .
 .
-.It Fl e , Cm sasl-external
+.It Fl e | Cm sasl-external
 Authenticate using SASL EXTERNAL,
 also known as CertFP.
 The TLS client certificate is loaded with
-.Fl c .
-For more information, see
+.Cm client-cert .
+See
 .Sx Configuring CertFP .
 .
-.It Fl f Ar path , Cm save = Ar path
-Load the contents of the buffer from
-.Ar path ,
-if it exists,
-and truncate it.
-On shutdown,
-save the contents of the buffer to
-.Ar path .
-.
-.It Fl g Ar path
-Generate a TLS client certificate using
-.Xr openssl 1
-and write it to
-.Ar path .
-The certificate is signed
-by the certificate authority if
-.Fl A
-is set,
-otherwise it is self-signed.
-.
-.It Fl h Ar host , Cm host = Ar host
+.It Fl h Ar host | Cm host No = Ar host
 Connect to
 .Ar host .
 .
-.It Fl j Ar chan , Cm join = Ar chan
+.It Fl j Ar channels Oo Ar keys Oc | Cm join No = Ar channels Op Ar keys
 Join the comma-separated list of
-.Ar chan .
+.Ar channels
+with the optional comma-separated list of channel
+.Ar keys .
 .
-.It Fl k Ar path , Cm client-priv = Ar path
+.It Fl k Ar path | Cm client-priv No = Ar path
 Load the TLS client private key from
 .Ar path .
 .
-.It Fl n Ar nick , Cm nick = Ar nick
+.It Fl m Ar mode | Cm mode No = Ar mode
+Set the user
+.Ar mode .
+.
+.It Fl n Ar nick | Cm nick No = Ar nick
 Set nickname to
 .Ar nick .
 The default nickname is the user's name.
 .
-.It Fl p Ar port , Cm port = Ar port
+.It Fl p Ar port | Cm port No = Ar port
 Connect to
 .Ar port .
 The default port is 6697.
 .
-.It Fl q Ar mesg , Cm quit = Ar mesg
+.It Fl q Ar mesg | Cm quit No = Ar mesg
 Quit with message
 .Ar mesg
 when shutting down.
 .
-.It Fl r Ar real , Cm real = Ar real
+.It Fl r Ar real | Cm real No = Ar real
 Set realname to
 .Ar real .
 The default realname is the same as the nickname.
 .
-.It Fl s Ar size , Cm size = Ar size
-Set the number of messages contained in the buffer to
-.Ar size .
-The size must be a power of two.
-The default size is 4096.
+.It Fl t Ar path | Cm trust No = Ar path
+Trust the certificate loaded from
+.Ar path .
+Server name verification is disabled.
+See
+.Sx Connecting to Servers with Self-signed Certificates .
 .
-.It Fl u Ar user , Cm user = Ar user
+.It Fl u Ar user | Cm user No = Ar user
 Set username to
 .Ar user .
 The default username is the same as the nickname.
 .
-.It Fl v , Cm verbose
-Write IRC messages to standard error
-in red to the server,
-green from the server,
-yellow from clients
-and blue to clients.
-.
-.It Fl w Ar pass , Cm pass = Ar pass
+.It Fl w Ar pass | Cm pass No = Ar pass
 Log in with the server password
 .Ar pass .
 .
-.It Fl x
-Prompt for a password
-and output a hash
-for use with
-.Fl W .
-.
-.It Fl y Ar mesg , Cm away = Ar mesg
+.It Fl y Ar mesg | Cm away No = Ar mesg
 Set away status to
 .Ar mesg
-when no clients are connected.
+when no clients are connected
+and no other away status has been set.
 .El
 .
+.Ss Other Options
+.Bl -tag -width Ds
+.It Fl g Ar path
+Generate a TLS client certificate using
+.Xr openssl 1
+and write it to
+.Ar path .
+The certificate is signed
+by the certificate authority if
+.Fl A
+is set,
+otherwise it is self-signed.
+.
+.It Fl o
+Print the server certificate chain
+to standard output in PEM format
+and exit.
+.
+.It Fl v | Cm verbose
+Log IRC messages to standard output:
 .Pp
-Client connections are not accepted
-until successful login to the server.
-If the server connection is lost,
-the
+.Bl -tag -width "<<" -compact
+.It <<
+from
+.Nm
+to the server
+.It >>
+from the server to
+.Nm
+.It ->
+from clients to
+.Nm
+.It <-
+from
 .Nm
-daemon exits.
+to clients
+.El
 .
-.Pp
-Upon receiving the
-.Dv SIGUSR1
-signal,
-the certificate and private key
-will be reloaded from the paths
-specified by
-.Fl C
-and
-.Fl K .
+.It Fl x
+Prompt for a password
+and output a hash
+for use with
+.Cm local-pass .
+.El
 .
 .Ss Client Configuration
 Clients should be configured to
 connect to the host and port set by
-.Fl H
+.Cm local-host
 and
-.Fl P ,
+.Cm local-port ,
 with TLS or SSL enabled.
 If
-.Fl W
+.Cm local-pass
 is used,
 clients must send a server password.
 If
-.Fl A
+.Cm local-ca
 is used,
 clients must connect with a client certificate
 and may request SASL EXTERNAL.
@@ -320,7 +461,7 @@ If both are used,
 clients may authenticate with either method.
 .
 .Pp
-Clients should register with unique usernames,
+Clients must register with unique usernames (not nicknames),
 for example the name of the client software
 or location from which it is connecting.
 New clients with the same username
@@ -331,13 +472,33 @@ The nickname and real name
 sent by clients are ignored.
 .
 .Pp
+Normally a client sending
+.Ic QUIT
+will simply be disconnected from
+.Nm .
+If, however,
+the quit message
+starts with the keyword
+.Sy $pounce ,
+.Nm
+itself will quit.
+The remainder of the message
+following the keyword
+will be used as
+.Nm Ap s
+quit message,
+or the default set by
+.Cm quit
+if there isn't any.
+.
+.Pp
 Clients which request the
 .Sy causal.agency/passive
 capability
 or with usernames beginning with hyphen
 .Ql -
 are considered passive
-and do not affect away status.
+and do not affect automatic away status.
 .
 .Pp
 Pass-through of the following IRCv3 capabilities
@@ -348,7 +509,9 @@ is supported:
 .Sy batch ,
 .Sy cap-notify ,
 .Sy chghost ,
+.Sy echo-message ,
 .Sy extended-join ,
+.Sy extended-monitor ,
 .Sy invite-notify ,
 .Sy labeled-response ,
 .Sy message-tags ,
@@ -366,23 +529,54 @@ not to the server.
 .Ss Generating Client Certificates
 .Bl -enum
 .It
-Generate a self-signed certificate authority (CA):
+Generate self-signed client certificates and private keys:
+.Bd -literal -offset indent
+$ pounce -g client1.pem
+$ pounce -g client2.pem
+.Ed
+.It
+Concatenate the certificate public keys into a CA file:
+.Bd -literal -offset indent
+$ openssl x509 -subject -in client1.pem \e
+	>> ~/.config/pounce/auth.pem
+$ openssl x509 -subject -in client2.pem \e
+	>> ~/.config/pounce/auth.pem
+.Ed
+.It
+Configure
+.Nm
+to verify client certificates
+against the CA file:
+.Bd -literal -offset indent
+local-ca = auth.pem
+# or: $ pounce -A auth.pem
+.Ed
+.El
+.
+.Pp
+Alternatively,
+client certificates can be signed
+by a generated certificate authority:
+.
+.Bl -enum
+.It
+Generate a self-signed certificate authority:
 .Bd -literal -offset indent
-pounce -g auth.pem
+$ pounce -g auth.pem
 .Ed
 .It
 Generate and sign client certificates
 using the CA:
 .Bd -literal -offset indent
-pounce -A auth.pem -g client1.pem
-pounce -A auth.pem -g client2.pem
+$ pounce -A auth.pem -g client1.pem
+$ pounce -A auth.pem -g client2.pem
 .Ed
 .It
 Since only the public key is needed
 for certificate verification,
 extract it from the CA:
 .Bd -literal -offset indent
-openssl x509 -in auth.pem -out auth.crt
+$ openssl x509 -in auth.pem -out ~/.config/pounce/auth.crt
 .Ed
 .It
 Configure
@@ -391,7 +585,7 @@ to verify client certificates
 against the CA:
 .Bd -literal -offset indent
 local-ca = auth.crt
-# or: pounce -A auth.crt
+# or: $ pounce -A auth.crt
 .Ed
 .El
 .
@@ -400,13 +594,13 @@ local-ca = auth.crt
 .It
 Generate a new TLS client certificate:
 .Bd -literal -offset indent
-pounce -g example.pem
+$ pounce -g ~/.config/pounce/example.pem
 .Ed
 .It
 Connect to the server using the certificate:
 .Bd -literal -offset indent
 client-cert = example.pem
-# or: pounce -c example.pem
+# or: $ pounce -c example.pem
 .Ed
 .It
 Identify with services or use
@@ -421,68 +615,27 @@ to require successful authentication when connecting:
 .Bd -literal -offset indent
 client-cert = example.pem
 sasl-external
-# or: pounce -e -c example.pem
+# or: $ pounce -e -c example.pem
 .Ed
 .El
 .
-.Ss Service Configuration
-Add the following to
-.Pa /etc/rc.conf
-to enable the
-.Nm
-daemon:
-.Bd -literal -offset indent
-pounce_enable="YES"
-.Ed
-.
-.Pp
-By default,
-the
-.Nm
-daemon is started in the
-.Pa /usr/local/etc/pounce
-directory.
-Configuration files in that location
-can be loaded by setting
-.Va pounce_flags :
+.Ss Connecting to Servers with Self-signed Certificates
+.Bl -enum
+.It
+Connect to the server
+and write its certificate to a file:
 .Bd -literal -offset indent
-pounce_flags="example.conf"
+$ pounce -o -h irc.example.org > ~/.config/pounce/example.pem
 .Ed
-.
-.Pp
-The
+.It
+Configure
 .Nm
-service supports profiles
-for running multiple instances.
-Set
-.Va pounce_profiles
-to a space-separated list of names.
-Flags for each profile will be set from
-.Va pounce_${profile}_flags .
-For example:
+to trust the certificate:
 .Bd -literal -offset indent
-pounce_profiles="example1 example2"
-pounce_example1_flags="example1.conf"
-pounce_example2_flags="example2.conf"
+trust = example.pem
+# or: $ pounce -t example.pem
 .Ed
-.
-.Pp
-The commands
-.Cm start , stop ,
-etc.\&
-will operate on the profile given as an additional argument,
-or on all profiles without an additional argument.
-.
-.Pp
-The
-.Cm reload
-command will cause the
-.Nm
-daemon to reload certificate files.
-To reload other configuration,
-use the
-.Cm restart
-command.
+.El
 .
 .Sh ENVIRONMENT
 .Bl -tag -width Ds
@@ -490,94 +643,203 @@ command.
 The default nickname.
 .El
 .
+.Sh FILES
+.Bl -tag -width Ds
+.It Pa $XDG_CONFIG_DIRS/pounce
+Configuration files, certificates and private keys
+are searched for first in
+.Ev $XDG_CONFIG_HOME ,
+usually
+.Pa ~/.config ,
+followed by the colon-separated list of paths
+.Ev $XDG_CONFIG_DIRS ,
+usually
+.Pa /etc/xdg .
+.It Pa ~/.config/pounce
+The most likely location of configuration files.
+.
+.It Pa $XDG_DATA_DIRS/pounce
+Save files are searched for first in
+.Ev $XDG_DATA_HOME ,
+usually
+.Pa ~/.local/share ,
+followed by the colon-separated list of paths
+.Ev $XDG_DATA_DIRS ,
+usually
+.Pa /usr/local/share:/usr/share .
+New save files are created in
+.Ev $XDG_DATA_HOME .
+.It Pa ~/.local/share/pounce
+The most likely location of save files.
+.El
+.
 .Sh EXAMPLES
-Configuration on the command line:
+Start
+.Nm :
 .Bd -literal -offset indent
-pounce -H pounce.example.org -h chat.freenode.net -j '#ascii.town'
+$ pounce -H irc.example.org -h irc.tilde.chat -j '#ascii.town'
 .Ed
-.
 .Pp
-Configuration in a file:
+Write an equivalent configuration file to
+.Pa ~/.config/pounce/tilde.conf :
 .Bd -literal -offset indent
-local-host = pounce.example.org
-host = chat.freenode.net
+local-host = irc.example.org
+host = irc.tilde.chat
 join = #ascii.town
 .Ed
+.Pp
+Load the configuration file:
+.Bd -literal -offset indent
+$ pounce tilde.conf
+.Ed
+.
+.Pp
+Add a certificate to
+.Xr acme-client.conf 5 :
+.Bd -literal -offset indent
+domain irc.example.org {
+	domain key "/home/user/.config/pounce/irc.example.org.key"
+	domain full chain certificate \e
+		"/home/user/.config/pounce/irc.example.org.pem"
+	sign with letsencrypt
+}
+.Ed
+.Pp
+Obtain the certificate
+and make the private key readable by
+.Nm :
+.Bd -literal -offset indent
+# acme-client irc.example.org
+# chown user /home/user/.config/pounce/irc.example.org.key
+.Ed
+.Pp
+Renew and reload the certificate with a
+.Xr cron 8
+job:
+.Bd -literal -offset indent
+~ * * * *	acme-client irc.example.org && pkill -USR1 pounce
+.Ed
+.
+.Sh DIAGNOSTICS
+Upon receiving the
+.Dv SIGINFO
+signal,
+.Nm
+prints the current producer position
+and the positions of each consumer
+identified by username.
+Following each consumer position
+is the number by which it trails the producer.
+On systems lacking
+.Dv SIGINFO ,
+.Dv SIGUSR2
+is used.
+.
+.Pp
+If a client reconnects
+after having missed more messages
+than the size of the buffer,
+.Nm
+will print a warning:
+.Bd -ragged -offset indent
+consumer
+.Em name
+dropped
+.Em n
+messages
+.Ed
+.Pp
+The size of the buffer
+can be adjusted with
+.Fl s .
 .
 .Sh SEE ALSO
 .Xr calico 1
 .
 .Sh STANDARDS
-The
-.Nm
-daemon implements the following:
-.
 .Bl -item
 .It
 .Rs
-.%A Attila Molnar
+.%A Waldo Bastian
+.%A Ryan Lortie
+.%A Lennart Poettering
+.%T XDG Base Directory Specification
+.%U https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
+.%D November 24, 2010
+.Re
+.It
+.Rs
+.%A Kyle Fuller
+.%A St\('ephan Kochen
+.%A Alexey Sokolov
 .%A James Wheare
-.%T IRCv3 Strict Transport Security
+.%T server-time Extension
 .%I IRCv3 Working Group
-.%U https://ircv3.net/specs/extensions/sts
+.%U https://ircv3.net/specs/extensions/server-time
 .Re
 .It
 .Rs
+.%A Lee Hardy
+.%A Perry Lorier
+.%A Kevin L. Mitchell
 .%A Attila Molnar
+.%A Daniel Oakley
 .%A William Pitcock
-.%T IRCv3.2 SASL Authentication
+.%A James Wheare
+.%T IRCv3 Client Capability Negotiation
 .%I IRCv3 Working Group
-.%U https://ircv3.net/specs/extensions/sasl-3.2
+.%U https://ircv3.net/specs/core/capability-negotiation
 .Re
 .It
 .Rs
-.%A C. Kalt
-.%T Internet Relay Chat: Client Protocol
+.%A S. Josefsson
+.%T The Base16, Base32, and Base64 Data Encodings
 .%I IETF
-.%N RFC 2812
-.%D April 2000
-.%U https://tools.ietf.org/html/rfc2812
+.%R RFC 4648
+.%U https://tools.ietf.org/html/rfc4648
+.%D October 2006
 .Re
 .It
 .Rs
-.%A K. Zeilenga, Ed.
-.%T The PLAIN Simple Authentication and Security Layer (SASL) Mechanism
+.%A C. Kalt
+.%T Internet Relay Chat: Client Protocol
 .%I IETF
-.%N RFC 4616
-.%D August 2006
-.%U https://tools.ietf.org/html/rfc4616
+.%R RFC 2812
+.%U https://tools.ietf.org/html/rfc2812
+.%D April 2000
 .Re
 .It
 .Rs
-.%A Kevin L. Mitchell
-.%A Perry Lorier
-.%A Lee Hardy
-.%A William Pitcock
 .%A Attila Molnar
-.%A Daniel Oakley
 .%A James Wheare
-.%T IRCv3 Client Capability Negotiation
+.%T IRCv3 Strict Transport Security
 .%I IRCv3 Working Group
-.%U https://ircv3.net/specs/core/capability-negotiation
+.%U https://ircv3.net/specs/extensions/sts
 .Re
 .It
 .Rs
-.%A S. Josefsson
-.%T The Base16, Base32, and Base64 Data Encodings
-.%I IETF
-.%N RFC 4648
-.%D October 2006
-.%U https://tools.ietf.org/html/rfc4648
+.%A Attila Molnar
+.%A William Pitcock
+.%T IRCv3.2 SASL Authentication
+.%I IRCv3 Working Group
+.%U https://ircv3.net/specs/extensions/sasl-3.2
 .Re
 .It
 .Rs
-.%A St\('ephan Kochen
-.%A Alexey Sokolov
-.%A Kyle Fuller
-.%A James Wheare
-.%T IRCv3.2 server-time Extension
+.%A Simon Ser
+.%A delthas
+.%T Read marker
 .%I IRCv3 Working Group
-.%U https://ircv3.net/specs/extensions/server-time-3.2
+.%U https://ircv3.net/specs/extensions/read-marker
+.Re
+.It
+.Rs
+.%A K. Zeilenga, Ed.
+.%T The PLAIN Simple Authentication and Security Layer (SASL) Mechanism
+.%I IETF
+.%R RFC 4616
+.%U https://tools.ietf.org/html/rfc4616
+.%D August 2006
 .Re
 .El
 .
@@ -618,7 +880,7 @@ indicate if
 capabilities MUST NOT have values.
 The
 .Nm
-daemon parses
+implementation parses
 .Ql CAP REQ
 values in the same way as
 .Ql CAP LS
@@ -632,36 +894,15 @@ indicates that a client
 should not affect the automatic away status.
 .
 .Sh AUTHORS
-.An June Bug Aq Mt june@causal.agency
-.
-.Sh CAVEATS
-One instance of
-.Nm ,
-and therefore one local port,
-is required for each server connection.
-Alternatively,
-the
-.Xr calico 1
-daemon can be used to dispatch from one local port
-to many instances of
-.Nm
-using Server Name Indication.
-.
-.Pp
-The
-.Nm
-daemon makes no distinction between channels.
-Elevated activity in one channel
-may push messages from a quieter channel
-out of the buffer.
+.An June McEnroe Aq Mt june@causal.agency
 .
 .Sh BUGS
 Send mail to
-.Aq Mt june@causal.agency
+.Aq Mt list+pounce@causal.agency
 or join
 .Li #ascii.town
 on
-.Li chat.freenode.net .
+.Li irc.tilde.chat .
 .
 .Pp
 A client will sometimes receive its own message,