SASL can now be effectively enforced.

[midnightmagic]

Patch disconnects prior to the CAP END stage thus (reportedly) disabling failed SASL auth accidental decloak in the event SASLServ is not available to authenticate.

SASL authentication guarantees vhost-enabled user introduction to the server (at least for the atheme-using IRCd out there like charybdis.)

... which means race-condition accidental cloak leakage is not possible if you've successfully authed on Freenode.