feat: add admin/owner permission system

Hostmask-based admin controls with automatic IRCOP detection via WHO.
Permission enforcement in the central dispatch path denies restricted
commands to non-admins. Includes !whoami and !admins commands, marks
load/reload/unload as admin-only.

Also lands previously-implemented SASL PLAIN auth, token-bucket rate
limiting, and CTCP VERSION/TIME/PING responses that were staged but
uncommitted.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/CHEATSHEET.md

@@ -13,6 +13,24 @@ derp -v               # Verbose/debug mode
 derp --cprofile       # Profile to derp.prof
 ```
 
+## SASL Authentication
+
+```toml
+# In config/derp.toml
+[server]
+sasl_user = "account"
+sasl_pass = "password"
+```
+
+## Rate Limiting
+
+```toml
+# In config/derp.toml (defaults shown)
+[bot]
+rate_limit = 2.0     # Messages per second
+rate_burst = 5       # Burst capacity
+```
+
 ## Container
 
 ```bash
@@ -35,13 +53,28 @@ make logs             # Follow logs
 !h                 # Shorthand (any unambiguous prefix works)
 ```
 
-## Plugin Management
+## Admin
+
+```
+!whoami            # Show your hostmask + admin status
+!admins            # Show admin patterns + detected opers (admin)
+```
+
+```toml
+# config/derp.toml
+[bot]
+admins = ["*!~user@trusted.host", "ops!*@*.ops.net"]
+```
+
+IRC operators are auto-detected via WHO. Hostmask patterns use fnmatch.
+
+## Plugin Management (admin)
 
 ```
 !plugins           # List loaded plugins
-!load <plugin>     # Hot-load a plugin
-!reload <plugin>   # Reload a changed plugin
-!unload <plugin>   # Remove a plugin
+!load <plugin>     # Hot-load a plugin (admin)
+!reload <plugin>   # Reload a changed plugin (admin)
+!unload <plugin>   # Remove a plugin (admin)
 ```
 
 ## OSINT