feat: client-side TLS for encrypted client connections

Accept TLS-encrypted connections from IRC clients. Auto-generates a self-signed EC P-256 listener certificate (bouncer.pem) when no custom cert is provided. Remove CTCP response items from roadmap (stealth by design -- router already suppresses all CTCP except ACTION). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 18:47:20 +01:00
parent bfcebad6dd
commit bf4a589fc5
12 changed files with 400 additions and 25 deletions
--- a/docs/CHEATSHEET.md
+++ b/docs/CHEATSHEET.md
@@ -179,6 +179,8 @@ Only fires when no clients are attached.
 ```toml
 [bouncer]
 bind / port / password
+client_tls / client_tls_cert      # client-side TLS
+client_tls_key                    # separate key file (optional)
 captcha_api_key                   # NoCaptchaAI key (optional)
 captcha_poll_interval / captcha_poll_timeout
 probation_seconds / nick_timeout / rejoin_delay
@@ -209,6 +211,7 @@ password                          # optional, IRC server PASS
 | `config/bouncer.toml` | Active config (gitignored) |
 | `config/bouncer.example.toml` | Example template |
 | `config/bouncer.db` | SQLite backlog (auto-created) |
+| `{data_dir}/bouncer.pem` | Listener TLS cert (auto-created) |
 | `{data_dir}/certs/{net}/{nick}.pem` | Client certificates (auto-created) |

 ## Backlog Queries